Healthcare Payment Security Is Your Patient s Card Data Exposed? May 24, 2016

Similar documents
White Paper: Are there Payment Threats Lurking in Your Hospital?

Data Security Basics for Small Merchants

PCI Security Standards Council

PCI Compliance Overview

OpenEdge Research & Development Group April 2015

Credit Card Processing Overview

EMV and Small Merchants:

Target Security Breach

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Preparing for EMV chip card acceptance

EMV and Restaurants What you need to know! November 19, 2014

Revenue Security and Efficiency

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

How To Comply With The New Credit Card Chip And Pin Card Standards

CardControl. Credit Card Processing 101. Overview. Contents

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

Transitions in Payments: PCI Compliance, EMV & True Transactions Security

SellWise User Group. Thursday, February 19, 2015

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Josiah Wilkinson Internal Security Assessor. Nationwide

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

The Relationship Between PCI, Encryption and Tokenization: What you need to know

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Credit Card Processing, Point of Sale, ecommerce

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Frequently Asked Questions

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

Practically Thinking: What Small Merchants Should Know about EMV

OpenEdge Research & Development Group April 2015

Payment Card Security

Payment Card Industry (PCI) Data Security Standard

Introduction to PCI DSS

SecurityMetrics Introduction to PCI Compliance

Payment Card Industry Data Security Standard (PCI DSS)

CPIM Academy. Cash 257 Merchant Services and Revenue Collection

PCI DSS Compliance Services January 2016

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

Suzanne Lynch Professor of Practice Economic Crime Utica College sl6-15 1

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

PCI Compliance. Top 10 Questions & Answers

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PAI Secure Program Guide

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

PCI Compliance Top 10 Questions and Answers

Office of Finance and Treasury

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry Data Security Standards

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

Payment Card Industry (PCI) Data Security Standard

Fighting Today s Cybercrime

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

What Merchants Need to Know About EMV

White Paper Solutions For Hospitality

Becoming PCI Compliant

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

A Brand New Checkout Experience

A Brand New Checkout Experience

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

PCI Security Standards Council

EMV in Hotels Observations and Considerations

PCI Compliance for Healthcare

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

University Policy Accepting Credit Cards to Conduct University Business

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

INFORMATION TECHNOLOGY FLASH REPORT

NEWS BULLETIN

Payment Card Industry (PCI) Data Security Standard

Sales Rep Frequently Asked Questions

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

What You Need to Know About PCI SSC Guiding open standards for global payment card security

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

2015 Visa Payment Security Symposium Webinar

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Data Security for the Hospitality

Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

How To Protect Your Restaurant From A Data Security Breach

Enterprise Payments for

A PCI Journey with Wichita State University

PCI and EMV Compliance Checkup

A RE T HE U.S. CHIP RULES ENOUGH?

Payment Card Industry Data Security Standard

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Transcription:

Healthcare Payment Security Is Your Patient s Card Data Exposed? May 24, 2016

PRESENTER BIOS Michael Fidler Vice President Elavon Healthcare Payment Solutions Michael D. Fidler is Vice President, Healthcare Payment Solutions at Elavon. With over 17 years of business development experience in the payment industry, Mike has become a trusted advisor for healthcare providers and payers who are seeking ways to make payment processing more efficient and less costly. Leveraging his experience and knowledge of payment industry trends, leading-edge technology solutions and revenue cycle management, he helps clients to drive more payment volume - resulting in increasing revenues while reducing processing costs and expenses. Mike graduated from Iowa State University and currently lives in Colorado. 2

PRESENTER BIOS Kim O Connor Vice President Elavon Payment Security Solutions Kim is Vice President of Payment Security Solutions at Elavon, Inc. She has been in the payments industry for 20 years in product management, product marketing and market development roles. Kim has been at Elavon for over 3 years focused on new product innovation initiatives. She is currently responsible for product strategy for Elavon s Security Solutions and industry-leading gateway. During her tenure at Elavon she has led the successful launch of EMV terminals and accelerated the expansion of security products such as encryption and tokenization that help remove cardholder data from merchant systems. Kim holds an MBA from Florida Atlantic University in Boca Raton, FL and resides in South Florida. 3

PRESENTER BIOS Tony Hansen Senior Security Consultant Providence Health & Services Tony Hansen, Senior Security Consultant, is the Payment Card Industry Internal Security Assessor (PCI ISA) for Providence. He architects payment solutions to reduce PCI scope for diverse lines of business including hospitals, clinics, pharmacies, foundations, cafeterias, gift shops, child care centers, parking garages, CME registration and online bill pay systems. He also serves as the liaison to banks and card brands for PCI DSS compliance. Tony has over 15 years experience as a security practitioner and he is a Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP) and Payment Card Industry Professional (PCIP). He graduated from Lewis & Clark College and resides in Oregon. 4

TODAY S AGENDA Payment Security: Prevention is the Answer Healthcare Payment Trends Healthcare Vulnerabilities PCI Compliance Layered approach to Security EMV Who s Liable and When Encryption and Tokenization Providence Health & Services Payment Strategy 5

BREACH IS A GROWING EPIDEMIC No healthcare organization is immune from data breach 45% 40% 35% 30% 25% 20% 15% 10% Healthcare Organizations Suffering a Breach in the last 24 months What are the Hackers After? 2014 Compromises by Data Type Other Monthly Statements Prescription Details Scheduling Details Payment Details Billing/Insurance Record 5% 0% Medical File 5+ Breaches 2-5 Breaches 1-2 Breaches No Breahces 0% 10% 20% 30% 40% 50% 60% Average cost of breach for healthcare organizations estimated $2.1 million or more. Ponemon Institute, 5 th Annual Benchmark Study on Privacy & Security of Healthcare Data, 2015 6

ARE YOU PREPARED? 7

WHO ARE THE PERPETRATORS? The Culprits External Foreign Governments Activist/Hacktivist groups Organized crime Lone hackers Terrorists Internal Staff Contractors Vendors/Suppliers Ponemon Institute, 5 th Annual Benchmark Study on Privacy & Security of Healthcare Data, 2015 1 in 3 Predicted number of healthcare recipients who will fall victim of a healthcare data breach in 2016. 8

9 HEALTHCARE VULNERABILITIES

OVERVIEW OF VULNERABILITIES Around 80% of data breaches are perpetrated by external actors* Point of Sale (Care) Web Application Attacks Crimeware (Malware) 10 *Source: Verizon Data Breach Incident Report, 2015

CARD DATA VULNERABILITIES Not New and It Can Happen to You Any organization that accepts card payments via a Point of Sale (POS) device is a potential target. Card not present environments (e-commerce) under increased attack with the implementation of EMV. PCI DSS compliance may not be enough. Compliance is a baseline; it does not necessarily equal comprehensive security. PCI DSS - Payment Card Industry Data Security Standards Security standards for organizations that accept major credit cards including Visa, MasterCard, American Express, Discover, JCB and China Union Pay 11

LAYERED PAYMENT SECURITY SYSTEMS ARE THE BEST PROTECTION AGAINST SOPHISTICATED ATTACKS 12 12

13 PCI DSS

PCI IS BASELINE SECURITY And it is a continuous process It goes beyond technologies to include policies and procedures for: securing physical assets (laptops, mobile devices) securing physical environments (offices, vehicles) employee access (strong passwords, need to know) and more. 14

PCI PROVIDES A POLICY FRAMEWORK PCI DSS Requirements PCI DSS is a set of requirements that ALL organizations accepting payment cards must follow. PCI DSS encompasses EVERY aspect of an organization s cardholder data environment including employee training documented policies physical security online security PCI requirements provide a policy framework for securing card payments. PCI DSS Payment Card Industry Data Security Standards 15

WHERE IS YOUR CARD DATA IS LOCATED? 3 OUT OF 5 Card Data Environment improperly scoped contributing to compromises YOU MAY NOT REALIZE YOU STORE CARD DATA Most common places credit card data ( ) hides: EMPLOYEE MOBILE DEVICES NETWORK FINANCE CARD DATA ENVIRONMENT 61% 61% Scans revealing unencrypted card storage ADMINISTRATIVE MARKETING CUSTOMER SERVICE PATIENT ACCESS PATIENT BILLING *Source: SecurityMetrics, Intographic: The Danger of Storing Card Data, 2015 16

WHAT IS YOUR CARD DATA ENVIRONMENT (CDE)? Any system that touches card data Terminals/Mobile payment devices Internal systems (e.g. servers, databases) Department End Users (e.g. Finance, Accounting, Billing, Customer Care, etc.) TRANSMIT TRANSMIT PROCESS AND/OR STORED STORED STORED 17

18 LAYERED APPROACH TO SECURITY

LAYERED APPROACH TO SECURITY 19

HOW CAN WE PROTECT PAYMENT DATA The Security Toolbox EMV Encryption Tokenization PCI DSS Compliance Your Security Foundation The toolbox must be accompanied by business practices and processes designed to reduce exposure and control risk. 20

21 EMV

EMV WHAT IT IS AND WHAT IT IS NOT EMV will: Prevent counterfeit fraud at the point of sale Protect against counterfeiting cards EMV will not: Protect against card-not-present fraud Prevent data breaches Create a different point-of-sale experience ( dip vs swipe ) Store cardholder data on a chip Require a new card with an embedded chip See growing adoption in the U.S. through 2016 and beyond Always require a PIN Be vulnerable to wireless interception of data Eliminate the need for magnetic stripe Be universally adopted in the U.S. for at least 3-4 years 22

EMV REDUCES CARD PRESENT FRAUD CARD AUTHENTICATION 23

... BUT NOT CARD NOT PRESENT FRAUD Source: AITE Group, EMV: Lessons Learned and the U.S. Outlook, October 11, 2014 24

WHO IS LIABLE WHEN? Provider Issuer Provider is Ready AND 0000 0000 0000 0000 Issuer Issued Chip Card Provider is Not Ready AND 0000 0000 0000 0000 Issuer Issued Chip Card Provider is Ready OR Not Ready AND Issuer Did Not Issue Chip Card 25 25

26 ENCRYPTION & TOKENIZATION

ENCRYPTION BENEFITS Protects Data In Transit Encrypts data before it enters POS/network Potentially reduces PCI scope Card data remains encrypted until it reaches the payment processor Encryption No POS or message format changes required EMV devices with encryption technology secure cardholder data at the point of swipe, tap or dip 27

TOKENIZATION BENEFITS Protects Data in Use & at Rest Eliminates need to store card data Potential liability greatly reduced Supports business processes Can be stored and used indefinitely Tokenization 28

ENCRYPTION/TOKENIZATION DATA FLOW Card Entry 1) Enter Original card number Secure Data Center and Token Vault 29

ENCRYPTION/TOKENIZATION DATA FLOW Encryption protection for data in-use and in-transit 1) Enter Original card number 2) Encrypt card number Secure Data Center and Token Vault 30

ENCRYPTION/TOKENIZATION DATA FLOW Tokenization protection for data at rest 1) Enter Original card number 2) Encrypt card number 3) Return Token number Secure Data Center and Token Vault 31

A COMPREHENSIVE SECURITY STRATEGY Business practices, security controls and processes designed to reduce exposure and control risk. EMV Encryption Tokenization PCI DSS Compliance Your Security Foundation 32

33 PROVIDENCE HEALTH & SERVICES

PROVIDENCE HEALTH & SERVICES Overview Third largest not-for-profit health system in the United States Providing care in 5 states Alaska, California, Montana, Oregon and Washington System office located in Renton, Washington Employs over 82,000 caregivers Facilities include hospitals, physician clinics, long-term care facilities, hospice & home health care services and retail operations A tradition of caring for over 160 years 34

PAYMENT SECURITY STRATEGY Goals & Requirements Fewer banking relationships Payment solution that integrates with EHR system Secure and compliant solutions Positive consumer payment experience Reduced scope of card data environment 35

INTEGRATED EHR AND PAYMENT SYSTEMS Reducing compliance through integration Epic selected as EHR system in 2009 Card acceptance via a payment solution that integrated with Epic Keeps card data out of EHR system Removed nearly 3000 workstations from scope 36 Internal Use Only

OUR PAYMENT SOLUTION Simplifies and secures payments Implemented point-to-point encryption solution Eliminates card data from ever entering or crossing our network Eliminates card data from ever being stored on our network Helps reduces PCI scope, saving millions in investment for network segmentation Fully PCI compliant solution 37

Payment security EMV AND NFC Upgrading devices Use risk based modeling to guide planning Focus on higher risk retail operations first Least susceptible Ensure EMV devices include encryption technology Consider EMV devices with NFC capabilities Most susceptible 38

QUESTIONS Contact Us Michael Fidler 303-268-2653 michael.fidler@usbank.com www.elavon.com/healthcare Tony Hansen anthony.hansen2@providence.org 39

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information