Welcome to the Security Corner
Welcome to the first installation of InstaMed’s Security Corner, a monthly blog feature discussing important topics in compliance and security with me, Noah Dermer. I came to InstaMed in 2015 to join the Security and Compliance team. Previously, I was the Chief Security Officer at Epic Systems, where one of my responsibilities was building security into Epic’s enterprise applications. As Security Officer at InstaMed, my goal is to support our security and compliance mission as well as inform and educate the industry and our users about compliance and security in healthcare payments.
In 2016, we at InstaMed want to continue our mission of being the most trusted healthcare payments network. With the Security Corner, our goal is to help our users understand their payment security responsibilities, overcome their hesitations and continue to securely and compliantly process payments on the InstaMed Network. If I can make this topic a little more accessible and less challenging along the way, that’s good, too. So let’s get started.
Compliance vs. Security and “What Do All Those Acronyms Mean?”
To understand the importance of compliance and security in healthcare payments, first let’s clarify the difference between the terms compliance and security. Both are important to healthcare payments, but these two terms are not interchangeable.
Compliance refers to regulatory requirements that must be met by anyone in the healthcare payments process; this includes regulations that may be specific to payments irrespective of healthcare, or vice-versa. Security refers to measures – usually in the form of new technologies and best practices – that can be taken to offer layers of protection.
In other words, compliance refers to the things we must do and security refers to the things we should do.
For example, the Payment Card Industry Data Security Standard (PCI DSS) is a compliance regulation. Purchasing an encrypted card reader for point-of-sale (POS) payments is a security measure.
When it comes to compliance and security, the important thing to remember is that one is not contingent on the other. You can meet all compliance regulations without being the most secure and you can leverage the latest advancements in security technology without being compliant. The best way to protect your organization is to be both compliant and secure.
Now that we understand the difference between compliance and security, let’s take a closer look at the regulations and measures that are most relevant to healthcare payments.
The Payment Application Data Security Standard (PA-DSS) is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). It applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data, and/or sensitive authentication data. PA-DSS holds vendors accountable for the payment applications they develop and sell and even requires that vendors guide customers with the implementation and use of those applications.
PCI DSS applies to all entities involved in payment card processing, including merchants, processors, financial institutions and service providers. It also applies to all other entities that store, process, or transmit cardholder data or sensitive authentication data. In January 2014, PCI version 3.0 went into effect and contained 20 evolving requirements from the previous version, including penetration testing and vendor relationships. To be PCI compliant, healthcare providers should select a secure platform for payments that has achieved and maintains certification for the highest standards in handling both protected health information (PHI) and maintaining security of financial data exchange.
Point-to-Point Encryption (P2PE)
P2PE encrypts a consumer’s payment card information at the point of entry, where the risk of data breach loss is especially high, and makes it unreadable until it is decrypted by the payment processor. P2PE significantly reduces PCI scope on merchant networks and systems that healthcare organizations use to collect payments, as well as the likelihood of a payment card data breach.
Europay, MasterCard and Visa (EMV)
EMV – also known as chip cards – is a method of payment that integrates a “chip” into a credit card to increase fraud protection for card-present transactions. In healthcare, EMV would offer protection if a patient tried to use a stolen credit card to pay for a co-pay at the point of service. EMV offers an added layer of security, but it does not protect payment data if used alone. To protect payment data, healthcare providers must use encrypted EMV technology.
Security risks and compliance requirements for healthcare payments are an important part of your risk management strategy; however, managing them should not be a drain on your resources. Download our white paper for a comprehensive guide on compliance and security to promote efficiency and help your organization thrive with innovative and secure payment solutions.
Next month’s topic: Social Engineering – Two Decades Later