By Noah Dermer, Security Officer at InstaMed
At InstaMed, we’re proud to be healthcare’s most trusted payments network. Our entire team works hard every day to live up to that reputation, and in 2016, we accomplished a lot of milestones to prove it.
Here’s a short list of the security and compliance achievements we’re proudest of.
We Became the First and Only in Healthcare to be PCI-Validated for P2PE v2.0
In October, we were excited to announce that we are the first in healthcare to be validated by the Payment Card Industry (PCI) Security Standards Council (SSC) for point-to-point encryption (P2PE) v2.0. To achieve this validation, we had to fulfill the detailed security requirements and testing procedures outlined by the PCI Council to ensure our payment solutions meet the necessary standards to protect payment data. Coalfire Systems Inc., a qualified security assessor (QSA) audited InstaMed’s bi-coastal data centers and spoke with InstaMed employees to ensure our systems and processes meet PCI requirements. The PCI Council reviewed and approved the results of the audit and added InstaMed Healthcare Payments P2PE to their list of validated P2PE solutions.
Earning PCI-validation was an exciting achievement because of all the work and effort our team put into it. However, the reason InstaMed sought out the validation has little to do with getting our name on the PCI website and everything to do with delivering the most secure payments solution to the healthcare industry. Use of a P2PE solution can protect healthcare organizations from major security breaches – saving them millions of dollars and protecting the private information of even more patients. With this in mind, we wanted to get the word out about the value of P2PE. I co-hosted a webinar with Tim Winston from Coalfire, where we explained the importance of P2PE for healthcare payments and addressed questions and concerns in a live Q&A session. We also leveraged our internal resources and interviewed InstaMed security experts about what healthcare CIOs need to know when it comes to P2PE and healthcare payment security. Finally, we re-released our white paper, Security and Encryption in Healthcare Payments, which you can download for free here.
We Launched the InstaMed Security Corner
I can talk about payment security and compliance with anybody. However, I know it’s not necessarily the most digestible topic. Navigating the complex terms and confusing acronyms can feel like learning another language. That’s why when I came to InstaMed from Epic at the end of 2015, I wanted to find a way to make the topic of payment security and compliance more accessible to everyone. So, we created the Security Corner, a monthly blog feature highlighting terms, best practices and lessons-learned from the world of payment security. In January 2016, we launched our first featured post, “Compliance vs. Security and What Do All Those Acronyms Mean?”.
Here’s a list of our top three most popular Security Corners:
- How to Heal a Broken Heart(bleed Bug) How do you recover from a widespread security vulnerability like the infamous Heartbleed Bug of 2014? You write a heartfelt break up letter to the culprit to let them know you’re better off without them. Then you follow best practices like applying patches immediately and understanding the systems and software that exist in your environment to protect yourself in the event of a future breach.
- Has Your Data Gone Phishin’? Who doesn’t love a punny joke? In our June Security Corner, I put my comedy skills to the test and wrote a few jokes about phishing and healthcare. For example:
What are hackers doing when they target healthcare organizations? Phishing docs.
If you can get through three other jokes at the beginning of this blog, you’ll find great tips for combatting phishing and spearphishing at your organization, including how to train your staff to recognize phony emails and calls from hackers.
- “My, What a Friendly Hacker You Are!” — Tales and Tricks of Social Engineering Twenty Years Ago and TodayTo explain how social engineering can occur in a healthcare environment, we took a look back at the crimes of Kevin Mitnick, one of the most infamous social engineers in the history of computers.
Bonus! Check out December’s Security Corner, Here Are Your 2017 Security Resolutions.
We Became HITRUST Certified
Right around the time of our PCI P2PE v2.0 validation, we also became certified for the Health Information Trust Alliance (HITRUST). With the HITRUST Certified Status, InstaMed is recognized as meeting key healthcare regulations and requirements for protecting and securing sensitive private healthcare information.
HITRUST incorporates a risk-based approach to help organizations address state and federal regulation challenges through a comprehensive and flexible framework of prescriptive and scalable security controls. InstaMed joins an elite group of organizations worldwide who have earned HITRUST certification. In earning this certification, InstaMed is the only payment solution for healthcare that is a PCI Level One Service Provider, PCI-validated for P2PE v2.0, and EMV and HITRUST certified.
Year in Review
2016 was a busy year for security and compliance at InstaMed. I’m looking forward to keeping the momentum going in 2017. We are always going to push ahead to continue to be at the forefront of payment security to sustain our reputation as healthcare’s most trusted payments network.