With Jeff Lin, Senior Vice President of Product Management; Chris Seib, CTO; Mark Krapels, COO; and Noah Dermer, Security Officer
Security is always top of mind at InstaMed. Since day one, we’ve been committed to delivering the most secure and compliant healthcare payments experience in the industry, and we continue to uphold our reputation as healthcare’s most trusted payments network.
As head of the product team, I work closely with our security team as we develop new products and enhancements for InstaMed solutions. Keeping in mind the rapid changes and growing trends in cybersecurity and cyberattacks, and as the product team prepares for our second major release of 2016, I took time to sit down InstaMed’s CTO Chris Seib, COO Mark Krapels and Security Officer Noah Dermer to talk about the latest security trends and solutions impacting the healthcare industry.
Jeff Lin: What are the trends you’re seeing in cybersecurity today?
Noah Dermer: We’re seeing an increase in the number of security breaches occurring across industries. Research from Symantec shows that between 2014 and 2015, there was a 125% increase in the number of breaches where 10 million or more people were affected. We’re also seeing a shift in the type of breach that is occurring. Criminal attacks, such as ransomware and malware are becoming the primary cause of a data breach, compared to theft, employee negligence, and other causes. These kinds of attacks are intentional and targeted.
Chris Seib: We’re also seeing healthcare being targeted more frequently. There are a few reasons for this trend. Healthcare information is valuable on the black market, with health credentials selling for 10-20x more than credit card numbers. Cybercriminals also get more bang for their buck by targeting healthcare organizations, as they can have access to personal, payment and medical information when hacking their systems. Plus, healthcare is a little more vulnerable to cybercrime than other industries. In general, healthcare is slower to adopt new security technology and much of the industry is still in the process of transitioning to electronic tools and connected systems.
Mark Krapels: We are seeing some positive trends, too. As large-scale healthcare data breaches continue to make headline news, awareness increases across the industry. Healthcare organizations are beginning to understand cybercrime as a serious threat and are open to working towards improving their network security. According to the Trends in Healthcare Payments Sixth Annual Report: 2015, 81% of healthcare providers indicated that payment security was of high importance. However, the industry as a whole is still not doing enough.
JL: What is being done to increase awareness and improve security in the industry?
MK: Healthcare organizations have certain standards and mandates that they must comply with in order to securely process and store PHI and payment information. For example, EHNAC (Electronic Healthcare Network Accreditation Commission) is an organization that develops standard criteria for electronically exchanging healthcare data. EHNAC offers healthcare accreditation programs, including FSAP (Financial Services Accreditation Program) and HNAP (Healthcare Network Accreditation Program). Organizations and vendor solutions that comply with both of these programs and are accredited by EHNAC are handling financial and healthcare information in a compliant way. Then there’s PCI DSS (Payment Card Industry Data Security Standards), which applies to anyone who processes and stores payment information. PCI recently released version 3.2, which evolved the requirements to comply with PCI standards, but also increased the rigor of the audit itself. So we’re seeing these mandates evolve as technology and cybersecurity evolve.
ND: The important thing to keep in mind about standards and mandates is that they ensure an organization is compliant, but that doesn’t necessarily mean it is secure. As Mark said, these mandates are evolving, but technology and cybercrime tends to evolve faster. So an organization can meet all the requirements to be considered compliant with these standards, but they may not be processing and storing payments in the most secure way possible. What healthcare organizations can do is work with a payment solution that meets all compliance requirements but is also on the cutting edge of payment security.
JL: What specifically should an organization look for in a payment solution?
ND: Healthcare organizations should leverage a payment solution that offers PCI P2PE (point-to-point encryption). This is a PCI standard for protecting payment data. P2PE encrypts payment data at the point of entry and makes it unreadable until it reaches a secure endpoint, protecting it from unauthorized parties. In the case that there is a network breach, P2PE keeps payment information protected and makes it practically worthless if it were to be stolen.
MK: Leveraging a P2PE solution has added benefits for healthcare organizations, as it can significantly reduce PCI scope. Scope reduction saves an organization time and resources, and also offers the peace of mind that their networks are secure. For guaranteed scope reduction, healthcare organizations should use a PCI-Validated P2PE solution.
CS: Comprehensive payment security goes beyond P2PE, though. Healthcare organizations should ensure their payment solution can protect all payment channels, including online payments. This enables healthcare providers to deliver a true omnichannel payment experience to patients and therefore collect more payments, in a secure and compliant way. When considering a PCI-Validated P2PE solution, select the vendor that can deliver the highest level of security and compliance for all payment channels.
JL: How can healthcare organizations know if a solution is PCI-Validated?
CS: You can check the PCI website to search for payment solutions that are PCI-Validated P2PE Solution Providers. Only solutions on this list are validated, so this is a great place to start when considering a payment vendor. InstaMed is a PCI-Validated P2PE Solution Provider, and was the first healthcare payment solution to be validated for PCI P2PE v2.0.
JL: What else can healthcare organizations do to protect themselves?
ND: Healthcare organizations are complex, especially now as we’re seeing more mergers and acquisitions of health systems. When organizations expand or merge, they are often bringing together multiple systems and third-party vendors and trying to get them to all work together. Not only is this a complicated process, but involving multiple systems and third-party vendors can greatly increase an organization’s risk of a data breach. When data flows between multiple disparate systems, it is much more difficult for an organization to protect itself, as accountability for the data varies depending on which part of the process or which system it is currently living on.
CS: Not to mention, PCI scope increases when multiple systems are in use. To reduce PCI scope, as well as the risk of a breach, healthcare organizations can use a single, integrated vendor to incorporate payments within their existing systems. A full stack, integrated payment solution with combined gateway and merchant services delivers an enhanced level of security for a few reasons: First, it can greatly reduce the amount of data transmissions that occur. Second, it means one vendor with full accountability for all payments and the reliability of only having one point of contact whenever questions or issues arise. Finally, the consolidated, integrated solution makes it easier to roll out new technologies in the future, like EMV and NFC, in a secure way.
JL: We care a lot about the payments experience at InstaMed and everything we build has all users – providers, payers and consumers – in mind. Convenience and simplicity are key. Does security get in the way of that?
CS: No. You can deliver enterprise-level security without disrupting the user experience. At InstaMed, we really have the entire security piece covered, so it’s not something that needs to get in the way of an organization’s workflow. Security checks like user authentications are worked into the user experience. On the consumer side, we’re seeing that a lot of consumers are recognizing the threat of cyberattacks, and many have been victims of cybercrime themselves. Research from the Ponemon Institute finds that 48% of consumers would consider changing healthcare providers if their medical records were lost or stolen. Consumers are coming to expect security as part of their experience, and with InstaMed, healthcare organizations can deliver that.
JL: Where can people go to learn more about payment security?
MK: We have a white paper, Security and Encryption in Healthcare Payments, which we just re-released with Coalfire Systems, Inc. It’s a helpful resource that talks more about PCI requirements as well as explaining P2PE.
ND: I’d also recommend the PCI website for any questions about payment card security.
CS: InstaMed will also be holding a webinar in conjunction with Coalfire that talks more about the topics we’ve covered here today.