Healthcare Payment Security Is Your Patient s Card Data Exposed? May 24, 2016
PRESENTER BIOS Michael Fidler Vice President Elavon Healthcare Payment Solutions Michael D. Fidler is Vice President, Healthcare Payment Solutions at Elavon. With over 17 years of business development experience in the payment industry, Mike has become a trusted advisor for healthcare providers and payers who are seeking ways to make payment processing more efficient and less costly. Leveraging his experience and knowledge of payment industry trends, leading-edge technology solutions and revenue cycle management, he helps clients to drive more payment volume - resulting in increasing revenues while reducing processing costs and expenses. Mike graduated from Iowa State University and currently lives in Colorado. 2
PRESENTER BIOS Kim O Connor Vice President Elavon Payment Security Solutions Kim is Vice President of Payment Security Solutions at Elavon, Inc. She has been in the payments industry for 20 years in product management, product marketing and market development roles. Kim has been at Elavon for over 3 years focused on new product innovation initiatives. She is currently responsible for product strategy for Elavon s Security Solutions and industry-leading gateway. During her tenure at Elavon she has led the successful launch of EMV terminals and accelerated the expansion of security products such as encryption and tokenization that help remove cardholder data from merchant systems. Kim holds an MBA from Florida Atlantic University in Boca Raton, FL and resides in South Florida. 3
PRESENTER BIOS Tony Hansen Senior Security Consultant Providence Health & Services Tony Hansen, Senior Security Consultant, is the Payment Card Industry Internal Security Assessor (PCI ISA) for Providence. He architects payment solutions to reduce PCI scope for diverse lines of business including hospitals, clinics, pharmacies, foundations, cafeterias, gift shops, child care centers, parking garages, CME registration and online bill pay systems. He also serves as the liaison to banks and card brands for PCI DSS compliance. Tony has over 15 years experience as a security practitioner and he is a Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP) and Payment Card Industry Professional (PCIP). He graduated from Lewis & Clark College and resides in Oregon. 4
TODAY S AGENDA Payment Security: Prevention is the Answer Healthcare Payment Trends Healthcare Vulnerabilities PCI Compliance Layered approach to Security EMV Who s Liable and When Encryption and Tokenization Providence Health & Services Payment Strategy 5
BREACH IS A GROWING EPIDEMIC No healthcare organization is immune from data breach 45% 40% 35% 30% 25% 20% 15% 10% Healthcare Organizations Suffering a Breach in the last 24 months What are the Hackers After? 2014 Compromises by Data Type Other Monthly Statements Prescription Details Scheduling Details Payment Details Billing/Insurance Record 5% 0% Medical File 5+ Breaches 2-5 Breaches 1-2 Breaches No Breahces 0% 10% 20% 30% 40% 50% 60% Average cost of breach for healthcare organizations estimated $2.1 million or more. Ponemon Institute, 5 th Annual Benchmark Study on Privacy & Security of Healthcare Data, 2015 6
ARE YOU PREPARED? 7
WHO ARE THE PERPETRATORS? The Culprits External Foreign Governments Activist/Hacktivist groups Organized crime Lone hackers Terrorists Internal Staff Contractors Vendors/Suppliers Ponemon Institute, 5 th Annual Benchmark Study on Privacy & Security of Healthcare Data, 2015 1 in 3 Predicted number of healthcare recipients who will fall victim of a healthcare data breach in 2016. 8
9 HEALTHCARE VULNERABILITIES
OVERVIEW OF VULNERABILITIES Around 80% of data breaches are perpetrated by external actors* Point of Sale (Care) Web Application Attacks Crimeware (Malware) 10 *Source: Verizon Data Breach Incident Report, 2015
CARD DATA VULNERABILITIES Not New and It Can Happen to You Any organization that accepts card payments via a Point of Sale (POS) device is a potential target. Card not present environments (e-commerce) under increased attack with the implementation of EMV. PCI DSS compliance may not be enough. Compliance is a baseline; it does not necessarily equal comprehensive security. PCI DSS - Payment Card Industry Data Security Standards Security standards for organizations that accept major credit cards including Visa, MasterCard, American Express, Discover, JCB and China Union Pay 11
LAYERED PAYMENT SECURITY SYSTEMS ARE THE BEST PROTECTION AGAINST SOPHISTICATED ATTACKS 12 12
13 PCI DSS
PCI IS BASELINE SECURITY And it is a continuous process It goes beyond technologies to include policies and procedures for: securing physical assets (laptops, mobile devices) securing physical environments (offices, vehicles) employee access (strong passwords, need to know) and more. 14
PCI PROVIDES A POLICY FRAMEWORK PCI DSS Requirements PCI DSS is a set of requirements that ALL organizations accepting payment cards must follow. PCI DSS encompasses EVERY aspect of an organization s cardholder data environment including employee training documented policies physical security online security PCI requirements provide a policy framework for securing card payments. PCI DSS Payment Card Industry Data Security Standards 15
WHERE IS YOUR CARD DATA IS LOCATED? 3 OUT OF 5 Card Data Environment improperly scoped contributing to compromises YOU MAY NOT REALIZE YOU STORE CARD DATA Most common places credit card data ( ) hides: EMPLOYEE MOBILE DEVICES NETWORK FINANCE CARD DATA ENVIRONMENT 61% 61% Scans revealing unencrypted card storage ADMINISTRATIVE MARKETING CUSTOMER SERVICE PATIENT ACCESS PATIENT BILLING *Source: SecurityMetrics, Intographic: The Danger of Storing Card Data, 2015 16
WHAT IS YOUR CARD DATA ENVIRONMENT (CDE)? Any system that touches card data Terminals/Mobile payment devices Internal systems (e.g. servers, databases) Department End Users (e.g. Finance, Accounting, Billing, Customer Care, etc.) TRANSMIT TRANSMIT PROCESS AND/OR STORED STORED STORED 17
18 LAYERED APPROACH TO SECURITY
LAYERED APPROACH TO SECURITY 19
HOW CAN WE PROTECT PAYMENT DATA The Security Toolbox EMV Encryption Tokenization PCI DSS Compliance Your Security Foundation The toolbox must be accompanied by business practices and processes designed to reduce exposure and control risk. 20
21 EMV
EMV WHAT IT IS AND WHAT IT IS NOT EMV will: Prevent counterfeit fraud at the point of sale Protect against counterfeiting cards EMV will not: Protect against card-not-present fraud Prevent data breaches Create a different point-of-sale experience ( dip vs swipe ) Store cardholder data on a chip Require a new card with an embedded chip See growing adoption in the U.S. through 2016 and beyond Always require a PIN Be vulnerable to wireless interception of data Eliminate the need for magnetic stripe Be universally adopted in the U.S. for at least 3-4 years 22
EMV REDUCES CARD PRESENT FRAUD CARD AUTHENTICATION 23
... BUT NOT CARD NOT PRESENT FRAUD Source: AITE Group, EMV: Lessons Learned and the U.S. Outlook, October 11, 2014 24
WHO IS LIABLE WHEN? Provider Issuer Provider is Ready AND 0000 0000 0000 0000 Issuer Issued Chip Card Provider is Not Ready AND 0000 0000 0000 0000 Issuer Issued Chip Card Provider is Ready OR Not Ready AND Issuer Did Not Issue Chip Card 25 25
26 ENCRYPTION & TOKENIZATION
ENCRYPTION BENEFITS Protects Data In Transit Encrypts data before it enters POS/network Potentially reduces PCI scope Card data remains encrypted until it reaches the payment processor Encryption No POS or message format changes required EMV devices with encryption technology secure cardholder data at the point of swipe, tap or dip 27
TOKENIZATION BENEFITS Protects Data in Use & at Rest Eliminates need to store card data Potential liability greatly reduced Supports business processes Can be stored and used indefinitely Tokenization 28
ENCRYPTION/TOKENIZATION DATA FLOW Card Entry 1) Enter Original card number Secure Data Center and Token Vault 29
ENCRYPTION/TOKENIZATION DATA FLOW Encryption protection for data in-use and in-transit 1) Enter Original card number 2) Encrypt card number Secure Data Center and Token Vault 30
ENCRYPTION/TOKENIZATION DATA FLOW Tokenization protection for data at rest 1) Enter Original card number 2) Encrypt card number 3) Return Token number Secure Data Center and Token Vault 31
A COMPREHENSIVE SECURITY STRATEGY Business practices, security controls and processes designed to reduce exposure and control risk. EMV Encryption Tokenization PCI DSS Compliance Your Security Foundation 32
33 PROVIDENCE HEALTH & SERVICES
PROVIDENCE HEALTH & SERVICES Overview Third largest not-for-profit health system in the United States Providing care in 5 states Alaska, California, Montana, Oregon and Washington System office located in Renton, Washington Employs over 82,000 caregivers Facilities include hospitals, physician clinics, long-term care facilities, hospice & home health care services and retail operations A tradition of caring for over 160 years 34
PAYMENT SECURITY STRATEGY Goals & Requirements Fewer banking relationships Payment solution that integrates with EHR system Secure and compliant solutions Positive consumer payment experience Reduced scope of card data environment 35
INTEGRATED EHR AND PAYMENT SYSTEMS Reducing compliance through integration Epic selected as EHR system in 2009 Card acceptance via a payment solution that integrated with Epic Keeps card data out of EHR system Removed nearly 3000 workstations from scope 36 Internal Use Only
OUR PAYMENT SOLUTION Simplifies and secures payments Implemented point-to-point encryption solution Eliminates card data from ever entering or crossing our network Eliminates card data from ever being stored on our network Helps reduces PCI scope, saving millions in investment for network segmentation Fully PCI compliant solution 37
Payment security EMV AND NFC Upgrading devices Use risk based modeling to guide planning Focus on higher risk retail operations first Least susceptible Ensure EMV devices include encryption technology Consider EMV devices with NFC capabilities Most susceptible 38
QUESTIONS Contact Us Michael Fidler 303-268-2653 michael.fidler@usbank.com www.elavon.com/healthcare Tony Hansen anthony.hansen2@providence.org 39