Home » PCI

Tag: PCI

Top Three Healthcare Technology Trends from HIMSS 2018

Top Three Healthcare Technology Trends from HIMSS 2018

Healthcare information and technology professionals gathered in Las Vegas in early March for the Health Information and Management Systems Society (HIMSS) Global Conference & Exhibition to double down on the latest healthcare technology trends. In case you missed the conference this year, we thought we’d give you a casino advantage and deal out our top three takeaways from HIMSS 2018.

1. There’s A Difference Between Compliance and Security

The Identity Theft Resource Center recently reported that healthcare was the second most breached sector in 2017 with 374 breaches accounting for 23.7 percent of total reported breaches. So it’s no surprise cyber security took center stage at HIMSS 2018 with a full-day forum on the topic. With stakes this high, panelists and attendees agreed, compliance is not security. While being compliant is a key step, security is not just a checkbox approach. There must be support from the board-level down, and security best practices must be spread throughout the organization. To encourage organizations to take a security-first mindset, Wind River developed the Advanced Security Package (ASP). ASP presents a customized solution of security tools to help mitigate risk, assist with certifying PCI DSS compliance and help ensure your business is secure.

2. Cloud Computing. Cloud Computing Everywhere

Cloud technology was another healthcare technology trend regularly mentioned by presenters and discussed by attendees across the conference. HIMSS research concluded that many users found the cloud more effective at mitigating security risk. Before moving to the cloud, however, it is imperative to understand data governance and have a mature security model. As health systems continue to embrace cloud services, it is essential to actively manage cloud security strategies and call on experts to guarantee security.

3. Amazon, Apple and Uber Roll the Dice on Healthcare

Amazon, Apple and Uber recently announced they are making their way into healthcare, which made for popular discussion among the professionals at HIMSS. Each of these massive tech companies has its own exciting innovation to bring to the table: Amazon offering group purchasing, Apple providing employee clinics and Uber contributing transportation to hospitals. While these announcements are definitely disrupting the healthcare industry, they may not have hit the jackpot quite yet considering all of these ideas are already being covered in an existing format. Like many others technology trends, we’re skeptical about just how much these companies will revolutionize the healthcare industry, but we’re also excited about the push for innovation and adoption of new technologies.

The immense knowledge shared at HIMSS made everyone a winner. From cyber security to new technology and innovations, healthcare technology trends are advancing to improve the patient experience and keep data safe. At Wind River, we stay on top of these trends to mitigate risk, keep patient information secure and improve the overall patient experience.

URGENT, You Do NOT Need to Read This!

We Already Have You Covered

You may have heard about a global issue in which Google researchers found unfixable vulnerabilities in commonly used encryption protocols. You may have also heard that, as a result, the PCI Council has delisted the vulnerable encryption protocols from being used for credit card processing. However, you may not understand what this means.

The encryption protocols of SSL and TLS have been in use for a long time. They essentially ‘scramble’ data during communications so that if the data is intercepted by an unauthorized individual, it cannot be read. In this manner, encryption is used for email, credit card data transmissions, ecommerce or any other sensitive data that needs to be protected. Specifically, the vulnerabilities apply to all versions of SSL and early versions of TLS, which is the more updated protocol.

What Do These Vulnerable Encryption Protocols Mean For My Business?

Nothing! Wind River is way ahead of the rest of the industry and so are you*. An article explaining TLS notes that 40% of merchants could be impacted, and when the merchant’s processor “flips the switch,” the merchant wouldn’t be able to process SSL or TLS 1.0. Their credit card processing would stop working for these transactions!

We have worked hard to communicate this critical change to our customers that were impacted well ahead of the looming deadline and taken the action needed to assure them their credit card processing would continue uninterrupted.

No need to send “Thank You” cards or gifts. It’s all in a day’s work here at Wind River and part of the After the Handshake Promise.

*We do have six customers we are still working with to overcome this obstacle. If you are one of these six, (you know who you are!) please read the PCI Council Specifics below and we will continue to work with you.

PCI Council Specifics

The PCI Council says that if you are involved in credit card processing, all entities must be off of all versions of SSL and TLS 1.0 by June 30, 2018 for PCI compliance. After this date, only TLS 1.1 or 1.2 should be used. Note that not all implementations of TLS 1.1 are immune from the vulnerability, so TLS 1.2 should be used if possible.

The PCI Council has provided guidance. Note that the June 30, 2018 deadline from the PCI Council is the end of a two-year extension that they originally provided due to the challenges of this global technology issue.

PCI Relief with ASP (Advanced Security Package)

For most of my customers, PCI is not their favorite acronym! The mere mention of this acronym has caused adverse side effects such as: anxiety, frustration, and headaches for both business owners and IT professionals alike.

Over the last 8 years, I have been helping our Wind River Financial customers with the challenges of PCI and I am happy to introduce another acronym, ASP. ASP, or Advanced Security Package, includes a security toolkit that can easily be downloaded to any workstation that will help alleviate some of the negative side effects of PCI validation. These tools will help secure your sensitive data, and in turn will reduce the amount of time spent on PCI validation.

To learn more about ASP, what is included in the security toolkit and its many benefits to our customers, click here or give me a call. Important enrollment information will be sent via email to you soon, so be on the lookout and watch your inbox closely.

CYBER SECURITY AND THE ART OF WAR

Successful cyber-attacks can ruin businesses, livelihoods, and even the lives of Small and Medium Business (SMB) owners and their customers. The enemy continues to grow stronger, launching over 4,000 attacks at SMBs daily. And, the stakes could not be higher. This is not a game……this is a war.

• The majority of cyber-attacks are directed at SMBs, due mostly to the attacker’s perception of weaker defenses at SMBs as compared to larger enterprises with greater resources and defenses in place.
• Post-attack remediation costs of an attack can extend into the hundreds of thousands of dollars for an SMB
• 70% of SMBs attacked go out of business in less than 2 years after a significant breach

So, how do we win?

Oddly enough in these tech forward times, the answers may exist in a book written over 2,500 years ago.

Sun Tzu, the Chinese general, military strategist and philosopher who lived in the 5th century B.C. is best known for authoring, “The Art of War”. This seminal work has influenced military strategy from when it was written to present day. The Japanese military adopted many of the book’s principles as it built itself into a modern military power. During the Vietnam War, Ho Chi Minh had it translated and given to his officers for study, contributing to the Vietnamese Army’s success against the French and American forces. More recently, during the Gulf War American Generals Schwarzkopf and Powell employed Sun Tzu’s philosophies during that conflict. And to this day, “The Art of War” continues to be a part of the Marine Corps Professional Reading Program.

The following are a few key “Art of War” principles, rendered to address the cyber-security challenges faced by today’s business owner.


“Every battle is won before it’s ever fought.”

Sun Tzu speaks to the importance of being fully committed and prepared, well in advance of any engagement with the enemy. Did you know that approximately 80% of businesses are not fully PCI compliant? To extend the analogy, this means that 4 out of 5 businesses are already losing the battle.


“The expert in battle moves the enemy, and is not moved by him.”

An effective cyber-security strategy must be proactive, agile and restless. The advantage exists in forcing the cyber-criminal to react to the defenses being put in place. Ask yourself if you are acting, or reacting.


“A clever fighter is one who not only wins, but excels in winning with ease.”

This idea is similar to the modern day reference to people who exhibit mastery within their field. Elite athletes or artists for instance who, “make it look easy”. But as we all know, that mastery is the result of untold hours of consistent and focused practice of their craft. To “win” against cyber-attacks, you must persistently invest the time and energy necessary to excel at defending your enterprise.


“Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.”

This translates to the importance of establishing and maintaining a very powerful security schema, while remaining opaque to outside forces. This of course includes software solutions, but also includes well-defined security policies and even training protocols for employees, minimizing inroads for attackers. And in the event that an attack is detected, we must move swiftly and strongly to obliterate it.


“The greatest victory is that which requires no battle.”

This is the ideal state that we strive for. One in which the enemy chooses to not attack, as a result of the perceived strength of our defenses.

We at Wind River Financial in partnership with Trustwave are excited to offer our client partners the robust offering with in the Advanced Security Package (ASP) as we all continue to fight this battle. We encourage you to contact your Relationship Manager for your Login so that you can activate these enhanced tools immediately. These types of serial upgrades are critical to defend your business. Equally important is the commitment of the SMB owner to making cyber security a top priority. Having the very best tools in your arsenal, in tandem with a committed and vigilant philosophy is the best strategy for winning this war.

To learn more about the tools you can go here. To speak with a Relationship Manager call our Client Care 800-704-7253 ext. 6828

It’s not a matter of if, it’s a matter of when

As you may know, the continuous battle between hackers, malicious software, and data security gurus is a continual game of cat and mouse like many things. Some of you have heard the adage that “it’s not a matter of if, it’s a matter of when” you will experience a data breach.

In the data security arms race, bad guys are using very sophisticated means of exploiting computer networks around the world. These same tools are available for purchase or rental in criminal forums on the dark net. Although your first thought may be that they won’t come after you because you’re “not one of the biggies,” you should know that over 90% of data breaches are to small and medium businesses. The thought of much of this is scary and you may feel somewhat helpless. However, there are tools that can help with some effort.

First, we mention the importance of PCI compliance. Yes, the groans are audible as no one likes compliance – we don’t like to be told we have to do something that may distract us from running our business. However, about 1 in 5 businesses fail after a data breach due to related costs and reputation damage. It’s a very real risk. As a compliance framework, PCI’s goal is to be a tool that helps point out the weakest points in your network and data security so that they can be addressed.

As the first generation that has had to manage today’s technology, it’s important to understand that computer technology requires management. The “set it and forget it” approach will bring risks to your business. If we don’t have internal technical staff to manage it, we may have to contract with external IT resources to properly manage the systems that contain not only our business and employee information, but also the sensitive information on our customers – including credit card data.

A basic protection we should be using is an anti-virus/anti-malware solution which we’ll refer to simply as “a/v.” These solutions are changing a lot right now as they migrate from being signature based (has to recognize malicious software that has been added to a negative database) to next generation a/v which may use artificial intelligence, machine learning, or applied mathematics to do their job. The effectiveness of signature based a/v has come under fire as being too slow and having to rely on malicious software being added to a database before you are protected from it.

Some of the next generation a/v solutions can recognize malicious software in real-time. You can imagine the benefit.  We are linking a recent related article from the Wisconsin State Journal.

We should also mention that we are currently working with our PCI compliance partner, Trustwave, on developing a security tools bundle that will be available to our customers. The tools will include an a/v solution and other services to help our customers secure their computer networks. One of the best parts is that they will also help fulfill a number of PCI related requirements. Please watch for future communication on this.

Point-to-Point Encryption 101: What it is and why it’s so important for healthcare providers

“What’s in a name?” This timeless question was posed by one of William Shakespeare’s most well-known characters, Juliet, as she argued that lineage was irrelevant when it comes to matters of the heart.

While we’re no experts on love or blood feuds, we do know that when it comes to protecting your healthcare data, a name means an awful lot. When looking to ensure the security of your organization’s information, the name you need to know is “point-to-point encryption.” Point-to-point is a practice that is aptly named as it encrypts data at various points. If you’re wondering how exactly this process occurs, keep reading…we’ll explain.

So what exactly is point-to-point encryption?

According to the PCI Security Standards Council, point-to-point encryption – commonly referred to as “P2PE” – is a “combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe or dip) until the data reaches the solution provider’s secure decryption environment.”

In simple terms, P2PE is the practice of transmitting encrypted data from point A to point D. Whereas data could potentially be stolen at points B and C in the process, with P2PE the risk is mitigated by devaluing the data and rendering it useless if stolen. How is this done? By ensuring that the encrypted data, and the decryption keys, are not in the same place until the data has reached its destination.
Different compliance frameworks define P2PE in different ways. Some key tenets of P2PE as it relates to the Payment Card Industry (PCI) are (1.) the solution encrypts credit card data at the point of interaction, and (2.) the merchant does not have the decryption keys.

Why is P2PE important for healthcare providers?

Medical centers and medical insurance providers are top hacking targets because they are essentially “one stop shops” for full consumer profiles, allowing hackers to access a plethora of sensitive and confidential data.

This data includes not only credit card information, but also consumer identifiers such as date of birth, social security number, address, telephone, email and more. This information can allow hackers to perform very extensive identity thefts.

WRF: your partner in protecting patients through P2PE

At Wind River Financial (WRF), we have successfully partnered with several healthcare organizations in strategically deploying P2PE solutions. We’ve worked with these clients to understand and strategize payment industry compliance and risk in order to shore up their systems and safeguard against breaches.

Check out some of our testimonials to hear from the clients themselves. Contact one of our relationship managers or sales associates to learn more and discover how WRF can start you down the path to P2PE protection.

The Lowdown on PCI Compliance for Hospitals

How to Keep Your Payment and Patient Data Safe and Secure

Medical centers and medical insurance providers are top hacking targets. Why? Because they are essentially “one stop shops” for full consumer profiles, allowing hackers to access a plethora of sensitive and confidential data.

The bad news
This data includes not only credit card information, but also consumer identifiers such as date of birth, social security number, address, telephone, email and more. This treasure trove of information can allow hackers to perform very extensive identity thefts, and it often carries some of the highest prices in online hacker markets.

PCI: protecting you
Payment Card Industry (PCI) requirements exist to protect credit card data, but may also help with HIPAA compliance by protecting sensitive patient information and safeguarding personally identifiable information (PII) and other sensitive details if implemented for these purposes.

The good news
While medical centers may be in hackers’ crosshairs, they also offer an ideal structure for protection against hackers. Allow us to explain. The fact that hospitals tend not to integrate credit card payment data with patient services, inventory or other data means they offer an excellent environment in which to deploy point-to-point encryption (P2PE).

What is P2PE? If you guessed a droid from Star Wars, you’d be wrong. P2PE is a state-of-the-art credit card security solution. A standard established by the PCI Security Standards Council, P2PE is delivered by a third party solution provider, and is a “combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe or dip) until the data reaches the solution provider’s secure decryption environment.”

WRF has your back
At Wind River Financial (WRF), we know our P2PE. We have successfully partnered with several health care organizations in strategically deploying P2PE solutions. We’ve worked with these clients to understand and strategize payment industry compliance and risk to ensure that credit card data is protected from hackers. But don’t take our word for it, check out some of our testimonials to hear from the clients themselves.

Interested in learning more? Contact us to discuss your organization’s needs and find out how WRF can help you choose a P2PE solution that will keep your patient and payment information safe and secure.

October 2015 Interchange and Network Fee Notification for Payment Processing

Effective October 1, 2015, there are a number of new and enhanced fee structures that are being implemented by VISA, MasterCard, Discover Card, and other network providers. Wind River Financial believes in transparency of all association fees applicable to your merchant processing costs, so we will be passing through these changes with no additional mark-up. For a full listing of these new fees please go to our web site in our Merchant Portal and Resource Library and look for the title October 2015 Interchange Modifications.

VISA Interchange Fees and New Programs – Visa will Implement new U.S. interchange programs to support tier qualification requirements for business card transactions. For details click here.

MasterCard Interchange Fees -MasterCard introduced new Interchange programs for U.S. Data Rate 1 Healthcare for the MasterCard Commercial Payments Account and MasterCard Prepaid Commercial Payments Account products. Click here for details.

Discover Card Rate Changes for Existing Prepaid Interchange Programs – Discover will implement new U.S. interchange programs for e-commerce transactions. Click here for details.

Wind River Fee Changes- On October 1, 2015 Wind River will increase PCI non-compliant fees by $5.00 per month.

EMV Liability Shift – On October 1, 2015 card present counterfeit fraud liability will shift to the party that has the lesser technology. Therefore if the merchant is not EMV enabled the counterfeit fraud liability will shift to them. For details click here.

So You’ve Been Breached…Now What?

In today’s heightened regulatory environment, the last thing that any business wants to find out is that they’ve been breached. If you think that you’re too small of a target for any hacker to have interest, you’re wrong. Over 90% of current network intrusions occur at small or medium businesses. They may not all make the newspaper like a multi-national retailer, but this is the state of data security.

The current belief within the information security community is that “it’s not a matter of if…it’s a matter of when” you will experience an intrusion. The fact is that most breached entities find out initially from a third party such as through law enforcement or customers.

An important item to have on file to help manage such situations is a breach response plan, not only because it’s a PCI requirement, but because you don’t want to have to make the difficult decisions you’re going to have to make under pressure with the decisions you make potentially having legal, financial, and even business survival implications.

There are several resources that may assist you in preparing an incident response plan. Below are some examples that you may find useful.

Electronic Transactions Association (ETA) Fraud & Security Committee

Data Breach Response: A Nine-Step Guide for Smaller Merchants

Visa

What To Do If Compromised.

An incident response plan is not something that most of us are chomping at the bit to write, but any time committed to it is worthwhile as it could significantly impact the time and expense of a data security event.

Of course if you are breached or suspect you might have been breached, contact us immediately and we will assist you by putting you in touch with the folks who can help in your situation.

PCI 3.0 is Knocking… Are You Ready?

logo PCI

 

The Payment Card Industry Data Security Standard (PCI DSS) updates every three years and version 3.0 is upon us.  Visa, MasterCard, and Discover require that all merchants comply with this standard to help protect credit card data.

Related, the PCI Council requires that, as of January 2015, all merchants migrate to the new version during annual PCI renewal.  Therefore, if renewing after the New Year, there will be a different renewal process than in 2014.  Our PCI compliance partner, Trustwave, will be introducing a new version of TrustKeeper that will include the new standards and provide tools and information to help you through the renewal process.

PCI 3.0 has significant new and expanded requirements including:

  • All e-commerce previously out-of-scope for PCI is now being brought in-scope. This includes payment page redirects and hosted iframes that are marketed under different names from various providers. E-commerce will need to be addressed as part of the PCI questionnaire.
  • All service providers (web hosts, payment gateway providers, etc…) that touch your credit card data must be validated PCI compliant and detailed documentation to demonstrate this will be required to be on file at the merchant.   Wind River Financial is working with our partner gateways to assist with the new documentation requirements. This requirement begins in July 2015.

There are other requirements within the new standard that may impact your PCI compliance validation.  We strongly encourage you to become familiar with the new requirements in preparation for the updates.  A good resource is a recorded webinar from Trustwave in which they discuss the changes and how to prepare for them.  The webinar which lasts about 30 minutes can be accessed here or by following this link: http://trustwave.com/Resources/Library/Webinars/PCI-3-0-is-Knocking-on-Your-Door–Are-You-Ready-/