Last month, the healthcare payment network InstaMed announced that it was the first in the industry to achieve point-to-point encryption (P2PE) v2.0 validation. How important is this level of encryption for healthcare? What will this mean for those who seek better protection of their payment card data?
As the healthcare industry evolves, so do the provider-patient and payer-member payment relationships. Patient responsibility for payment has increased, as cost-shifting has put more of the healthcare tab on the consumer than in the past. As a result, providers rely on patients for more of their revenue. Health insurance has changed, too, as individual health plans account for a larger share of premium than they once did. In this new payment landscape, providers and payers are now merchants; among the other changes this creates for their organizations, they must continue to keep payment security top of mind.
This means maintaining Payment Card Industry Data Security Standards, or PCI DSS. This is a set of security standards designed to ensure that all merchants that accept, process, store or transmit payment card information maintain a secure environment. Failure to comply with PCI can result in monthly fines ranging from $5,000 to $100,000. These fines are issued by the card brands to the issuing banks, and the banks usually pass the fines onto the merchant. In some cases, an issuing bank may increase transaction fees or terminate the relationship with the merchant completely. If a data breach occurs, healthcare organizations risk even more fines, damage to reputation or revenue loss.
To be PCI compliant, the first step is to work with a payment vendor that meets the requirements of PCI DSS. However, to ensure the highest level of confidence, it’s best to choose a PCI-validated point-to-point encryption, or P2PE, solution provider. This means the PCI Security Standards Council has verified that when a customer makes payment, his or her data is converted to an indecipherable code to prevent hacking or fraud. The requirements are rigorous, and only solutions listed on the PCI website
meet the standard.
Payers and providers benefit from using a PCI-validated P2PE solution in several ways, including PCI scope reduction. For example, healthcare organizations that choose a Validated P2PE solution qualify for the council’s SAQ P2PE-HW, a self-assessment questionnaire that is only 35 questions, compared with 332. Thus, using a validated solution saves the organization time and money,
Of greater importance, a PCI-validated solution also ensures the best level of protection. Considering the increase in cyberattacks targeting the healthcare industry, it is more important than ever that data is encrypted. P2PE can protect payment data in the event of a breach. It also devalues the data, so it can’t be used even if it is stolen. Thus, the healthcare organization not only reduces its risk of a breach, but it also limits its reputational and financial risk should one occur.
Finally, by leveraging a PCI-validated P2PE solution provider, healthcare organizations can confidently open up more payment channels to collect payments including omni-channel, healthcare-specific payment solutions. This enables healthcare organizations to collect payments at every patient/member interaction point with the highest level of payment security and compliance.
About the Author
Noah Dermer, JD is InstaMed’s security officer. Prior to joining InstaMed, Dermer was Epic’s chief privacy and security officer. Dermer also managed Epic’s security R&D team, which develops software that helps hospital organizations ensure the confidentiality, availability, and integrity of healthcare data. Prior to his work on the security team, Noah worked at Epic on clinical applications where he designed, coded, and maintained computerized physician order entry software. He has also been a network administrator and worked for a large financial technology services company and a technology consulting firm.