Industry Pages

Industry Pages


While healthcare organizations’ IT systems have been receiving and storing terabytes of sensitive data for decades, more recent initiatives focused on HIPPA compliance have helped the IT departments upgrade and put in place security policies and procedures to safeguard personal healthcare information (PHI). But by the very nature of their daily business activities, healthcare organizations also receive and store enormous amounts of personally identifiable information (PII) as well as payment card information (PCI) for every patient for billing purposes. Much of the PII and PCI data remains unprotected, sometimes not even encrypted, swirling in the databases of ERP systems and being transmitted among hospitals, clinics, labs, and private practices.
With the increasing number of successful hacks against a wide range of organizations, it’s now a matter of when, not if, information systems are breached by the usual suspects. According to a recent Ponemon Institute study, “criminal attacks in healthcare are up 125 percent since 2010 and are now the leading cause of data breach (and) … most healthcare organizations are still unprepared to address this rapidly changing cyber threat environment and lack the resources and processes to protect patient data. According to the FBI, criminals are targeting the information-rich healthcare sector because individuals’ personal information, credit information, and protected health information (PHI) are accessible in one place, which translates into a high return when monetized and sold.”[1] This is fair warning that a top priority of the healthcare C-suite should be maintaining the security and privacy of their patients’ personally identifiable information and payment data. The question for management then is: when the inevitable breach occurs, will there be information in the IT systems worth stealing?
Tokenization technology operates on the fundamental principle that hackers can’t steal what’s not there. By using a cloud tokenization platform, no valuable payment, PHI, or PII data is accepted, stored, or transmitted by an organization’s IT systems. The TokenEx Cloud Security Platform replaces sensitive payment and personal data with mathematically-unrelated tokens, stores the original data in 100% PCI-compliant secure data vaults, running in fully-redundant cloud data centers. Any successful breach of a healthcare IT system only yields a trove of tokens that are unusable to hackers. For all types of sensitive information—payment data in particular—this solves two urgent problems for organizations:

  • Decreases the scope of PCI compliance, so that most of the IT infrastructure is subject to the minimum number of PCI controls, thus reducing the cost and labor of keeping software and hardware in compliance with constant testing and audits.
  • Removes the risk of losing sensitive data and the repercussions of lawsuits, financial fines, and adverse publicity that drives away participants and damages your brand.

[1] The Fifth Annual Study on Privacy & Security of Healthcare Data, Ponemon Institute study, sponsored by ID Experts.

Healthcare Organizations' Top Data Security Issues


While payment card data used to be the most frequent target of hackers, new security tools, such as the use of AI software to detect patterns of fraud and the introduction of EMV chip cards, are making it more difficult for the black market to sell only the payment cards primary account numbers (PAN). Fraudsters need the personal information that goes with PCI to fabricate identities for use in card-not-present fraud. If that’s not troublesome enough, cyber-espionage by state-sponsored hackers is rising at alarming rates and their target is PII—data that helps them identify people and their associations as targets for further “attention”. The connected world is a global data war zone, and every organization is a target.


The cost of compliance looms very large in the minds of healthcare IT management. The shear number of regulations aimed at securing sensitive information commonly held by all organizations are consuming larger swaths of the IT budget. Just keeping up with changes to existing regulations requires staffing security experts and software engineers who are solely focused on compliance issues. The cost of breaches continues to grow as judicial courts are rewarding more damages to victims of data theft, particularly when it results in identity theft. Even the FTC is now authorized to penalize organizations for breaches of privacy policy when personal data is stolen, adding even more cost and regulatory burden to the insult of a security breach.

Securing Payment and Personal Data with Tokenization


To eliminate the risk of losing payment and personal data, the goal is to remove all the sensitive data that is coveted by cyber-thieves from internal systems, so that a breach becomes a reporting inconvenience instead of a financial and public relations disaster. The TokenEx Cloud Security Platform provides tokenization and data vaulting services that eliminate data theft risks and reduce compliance costs without disrupting existing business processes. TokenEx secures payment processing through every acceptance channel, tokenizes all types of sensitive data, and integrates payment service providers such as fraud detection, to keep sensitive data safe yet ready to use for processing.


To accommodate members and patients, healthcare providers need to work with as many payment channels as feasible: in-office card readers, web checkouts, call centers, and even mobile apps. The last three of these methods fall under the category of card-not-present transactions and are particularly vulnerable to theft and fraud. The only way to achieve the lowest cost PCI compliance for these channels is to immediately encrypt and tokenize the incoming payment data at the point of entry. The TokenEx Cloud Security Platform protects any acceptance channel you choose to implement as well as any data type.

  • TokenEx’s Browser-based Encryption API intercepts payment data entered by cardholders on the checkout web site page and instantly encrypts, tokenizes, and stores it in secure data vaults, with only the token returned to business systems for recurring billing transactions and other processing.
  • Office payment terminals and call centers can be easily integrated with the tokenization process using Point-to-Point Encryption (P2PE) card readers, or by implementing TokenEx Virtual Terminal; keeping payment data from being stored or processed in call center workstations, thus removing them from PCI compliance scope.
  • Mobile apps can use the TokenEx Web API to encrypt entered payment card at the device app level, vault it, and return a token for storage and processing.
  • TokenEx can create custom high-value token formats that retain the meaning of the original data to use in analytics and reporting.


In the TokenEx Cloud Security Platform, payment, PII, and PHI data are vaulted under a unified tokenization schema in data vaults protected by rotating encryptions keys. Using a unified security architecture is critically important when securing multiple types of sensitive data formats. Working with multiple tokenization providers to store different data formats can lead to data corruption issues when the tokens are mixed back into business systems for processing. A unified tokenization platform that stores all data types in a consistent model ensures interoperability of tokenized data in business processes.


Being payment processor agnostic is a central tenet of the TokenEx Cloud Security Platform, so your billing department can choose which payment gateways and processors to use and switch among them as needed. With the TokenEx Cloud Security Platform acting as the central point of integration, payment service providers—such as fraud detection and card refresh—work with your tokenized payment stream in real time or batch mode. Need a real time check on the authenticity of an unusual payment? TokenEx tokenizes the PAN, removing it from your systems, and sends the appropriate hashed value of the PAN back to your systems to send to the fraud detection service for analysis. Your business processes don’t change because TokenEx takes care of all the integration with your choice of vendors. Your business systems never receive, store, or transmit payment data, only tokens, keeping them free of toxic data.


Tokenization technology is an ideal solution for preventing data theft. But it’s not ideal to have your data locked up by one payment provider’s proprietary tokenization system, leaving you unable to work with other service providers or to change payment processors. The TokenEx “no contracts” approach doesn’t lock you in with complex long-term commitments—your data is always your data, and should you decide to change tokenization vendors, we work with you to make the transition. And unlike payment processors who charge you every time for accessing and using your tokens, TokenEx fees are based on first time tokenization and the storage of token/PAN data sets, not for every access. For complex organizations such as healthcare that store and manage large data sets, pricing can also be set at yearly subscription rates, or an unlimited utilization option, obviating the need to track data storage and tokenization.

We Can Show You How Tokenization Secures your Sensetive Information

Our healthcare clients depend on TokenEx to provide a complete and customizable tokenization solution for their PII and PCI data theft problems and to reduce the costs of compliance. Let us explain how the TokenEx Cloud Security Platform can help your organization secure all types of data. Contact us today to set up an appointment to discuss your specific challenges.