How Mashgin Secures Hospital Checkout

Short of hidden military installations, particle colliders, or secret robotics laboratories, hospitals are some of the most complex digital environments on earth.

Hospitals and healthcare systems are also an increasingly common target of serious cyber attacks aimed at their critical infrastructure and sensitive data.

Every shift, medical teams depend on reliable technology to keep operations flowing. On top of fulfilling their Hippocratic oath, healthcare staff also have to work with a mountain of sensitive and confidential data that’s also protected by powerful data protection legislation, like HIPAA.

So, when a hospital adds something new to campus, even a self-checkout in the cafeteria, it has to be effortlessly secure. 

Mashgin is a start-up. We kicked off with two founders’ dreams and a self-checkout prototype in a garage. We’re dreamers, thinkers, and tinkerers. We innovate and iterate fast, but we also take security and compliance seriously. We zap long lines and zip guests on their way in some of the most security-sensitive, compliance-strict, and high-profile locations you might ever see. That means organizational controls, good data privacy hygiene, and a super strong cybersecurity stance that’s worthy of some of the best hospitals and healthcare organizations on the planet.

So, when it comes to cybersecurity, here’s how Mashgin delivers:

Built Strong for Zero-Trust Healthcare Environments

Hospitals expect the systems on their network to be locked down. In a Zero-Trust environment, everything on the network is untrusted until proven otherwise. Zero-Trust assumes security breaches will one day happen, and so it builds security around containing them. This means mitigating the impact of the hack, restricting access, and treating every request as potentially hostile.

That’s why Mashgin features multiple layers of strong security to operate in a security-demanding healthcare environment.

Mashgin’s infrastructure runs entirely in isolated, hardened environments inside of Amazon Web Services, or AWS. Mashgin runs on extremely well-vetted servers protected by the same physical and environmental safeguards that AWS provides to some of the world’s most sensitive industries. For hospitals, this means that Mashgin Self-Checkout operates inside a secure, cloud-managed system designed to minimize trust, restrict access, and keep patient-care networks protected.

To keep things safe, Mashgin also uses something called a Web Application Firewall to check every request coming in on the network. Anything suspicious or dangerous automatically gets stopped from getting through.

All data moving between the Mashgin Self-Checkout, the cloud, and our payment partners is encrypted in transit using modern protocols like TLS 1.2 and 1.3, with ChaCha 20 encryption. TLS stands for Transport Layer Security and is the standard technology that keeps your connection to the web private and safe. It scrambles your data so nobody can read it, authenticates the connection so you know you’re talking to the real McCoy, and ensures your data arrives exactly as it left, neither changed nor tampered with. ChaCha20 is what’s called a stream cipher. It generates a long stream of secret, random-looking bits, into which your message gets thrown and mixed up. What results from that process is encrypted and completely unreadable unless you’ve got the cipher keys. It’s a modern way to encrypt data quickly and safely, and it’s one big part of how Mashgin keeps your data safe.

Whenever Mashgin’s Engineering team needs to access our infrastructure or data, everything we do goes through a special VPN service to protect our connection while we work. Everything gets logged, and we use unique log-ins, strong passwords, and multi-factor authentication. We also use a strong, industry-standard password cipher for our Mashgin Cloud user accounts so passwords are never stored in plain text. In fact, they’re encrypted by something called cryptographic salt and pepper - secret, random values added to the hashed password - so no hacker could ever turn them back into plain-text, even if they somehow got the hashed versions.

Once data reaches the cloud with AWS, it stays encrypted at rest using AES-256, or Advanced Encryption Standard to 256 Bits, which is a super strong way to encrypt data. AES-256 is one of the primary ways stuff gets encrypted these days across the globe, including e-commerce websites or top secret government archives. Mashgin uses AES-256 to scramble blocks of data into encrypted random noise, unable to be decrypted without the code.

Mashgin also practices something called system segmentation. What this means is that Mashgin’s network is split into public and private, locked-down areas to protect sensitive systems and data, contain damage if anything goes wrong, and make it harder for hackers to reach the important parts. We maintain a Virtual Private Cloud in our AWS environment to separate public services from private security groups for servers and databases.

Whenever Mashgin needs to get a message to a self-checkout in the field, say to send over a security update, we talk to the device through a secured tunnel connection over something called SSH, or the Secure Shell Protocol. SSH is a cryptographic network protocol that enables secure remote access to computers and other network devices over an unsecured network. SSH is the industry-standard solution for remote access to Linux systems. Through this tunnel, Mashgin has the ability to update, patch, and monitor each device as long as it maintains a network connection, but only authorized Mashgin staff ever have access to the remote connection.

Don’t just take our word for it; Mashgin undergoes a penetration test by a third-party cybersecurity firm at least once a year to test our infrastructure, systems, and security posture, and we then work diligently to shore up any vulnerabilities that might get detected.

Hospitals Handle Sensitive Data. Your Self-Checkout Shouldn’t.

The fastest way to reduce data risk is simple: don’t collect the data in the first place.

In fact, Mashgin maintains an audited data privacy program. The European Union’s General Data Protection Regulation (the GDPR) is the gold standard for data protection legislation the world over. We’ve passed multiple data privacy audits by a third-party auditor, and we’ve established policies, procedures, and security safeguards to minimize and secure the limited personal data we process.

Mashgin operates on an empty vault doctrine: keep things as secure as possible, while keeping as little data as possible. We only process the bare minimum data needed to provide our services, which includes:

• Basic transaction details, like timestamp, total, and sales tax.
• Limited payment info like the expiry date and a pre-truncated, partial card number.
• Basic item details, like the name, weight, and price.
• A single overhead image of the items on the self-checkout for each transaction.
• Account data like user emails and navigational cookies for Mashgin Cloud.

We use this data to make our self-checkout experience possible, including retrieving receipts, looking up transactions and processing refunds, or making various reports available to our partners in our admin dashboard, Mashgin Cloud.

How about HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act. It’s the playbook for how federal law protects health information that can identify an individual, also known as Protected Health Information, or PHI. 

HIPAA exists to make sure patient health information isn’t disclosed unless the patient says so. HIPAA isn’t toothless, either; violations can trigger anything from financial penalties to full-on criminal consequences. If an organization handles U.S. PHI in any form, HIPAA’s rules are in play.

HIPAA lays out a comprehensive security blueprint for safeguarding U.S. patient information, spelling out the administrative, physical, and technical safeguards that must be in place. It sets the rules for when PHI can be disclosed and requires hospitals, clinics, and their vendors to follow core security practices, including strong access controls, data encryption, and staff training.

Ultimately, Mashgin doesn’t process any Protected Health Information - we don’t process it, store it, or even accept it - so we’re out of scope for HIPAA. That’s one less risk for compliance teams to manage!

SOC 2 Compliance

Hospitals don’t just ask their vendors to be secure, but they also expect them to prove it. Enter: SOC 2.

SOC 2 is an audit framework that helps companies evaluate whether their vendors’ systems are secure and properly managed. SOC 2, or System and Organization Controls 2, is a holistic, controls-based view of the company as a whole, how access gets controlled, how changes get deployed, how incidents get responded to, how vendors get vetted, and how security gets prioritized.

SOC 2 is structured around five tenets known as the Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Mashgin maintains a solid SOC 2 program that’s undergone an independent auditor’s examination. We maintain a library of compliance policies and procedures to demonstrate that Mashgin runs a tight ship:

• Access to systems is strictly limited and monitored.
• Changes to software go through review and approval.
• Incident response processes are documented, tested, and exercised.
• Our infrastructure is continuously monitored, patched, and maintained to best practices.
• The team takes security awareness training twice a year, as well as both data privacy and secure coding training.
• Vendors and partners are reviewed for risk and compliance before they ever touch our environment.

All of this means that nimble tech start-up Mashgin operates with the same kind of discipline and rigor that you’d normally expect from far larger, more established companies. We strive to offer healthcare partners the confidence that Mashgin’s systems are structured, monitored, controlled, verified, and secure, and this is all verified by an independent CPA firm. Mashgin Self-Checkout uses security and compliance to introduce operational relief, not operational risk.

How Does Mashgin Protect Credit Card Data?

Place. Pay. Be on your Way!

When you tap your card on the card reader to pay at the Mashgin Self-Checkout, your card data immediately gets encrypted by the card reader. This encrypted payment data is then sent directly to the payment gateway, like FreedomPay, through a secure technology called Point-to-Point Encryption, or P2PE. This means that sensitive payment data never touches the Mashgin system. The payment terminal encrypts card data immediately at the hardware level, and only the payment gateway has the keys to decrypt it.

Cardholder data like this is protected by a set of security standards called PCI DSS, or Payment Card Industry Data Security Standard. PCI DSS is designed to protect Cardholder Data  throughout the payment lifecycle from security breaches and fraud. Any organization that accepts, transmits, or stores Cardholder Data is subject to PCI DSS compliance.

Examples of PCI DSS requirements include building and maintaining a secure network and systems, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring networks, and maintaining an information security policy.

To be in scope for PCI DSS compliance, you must either:

1. Transmitting, processing, or storing Account Data, and/or
2. Impact the security of Account Data.

Under PCI DSS, Account Data consists of Cardholder Data and Sensitive Authentication Data. Cardholder Data includes the Cardholder Name, Primary Account Number or PAN beyond the first six and final four digits of the card, and the Expiration Date or Service Code only if also processed along with the PAN. Sensitive Authentication Data includes things like full magnetic stripe data and PINs.

Mashgin does not process any Cardholder Data or Sensitive Authentication Data as defined in PCI DSS compliance. We don't impact the security of the Cardholder Data Environment. This keeps Mashgin entirely out of scope for PCI DSS. For hospitals, that means that Mashgin doesn’t add to your existing PCI DSS footprint and doesn’t introduce risk related to full PAN exposure.

More than Moving the Lunch Line Faster

Mashgin delivers speed and convenience without ever compromising on security or privacy. We operate in some of the best healthcare facilities in the world, bringing convenience and a little Mashgin magic to hospital cafeterias without introducing risk. We have a solid security stack, with powerful encryption, multi-layered network segmentation, and infrastructure run by the industry standard. We adhere to compliance frameworks like SOC 2 and go through audits to independently confirm we’re handling security as it should be. Lastly, we operate an empty vault, and process as little sensitive or personal data as possible to remove risk, like with HIPAA compliance or payment compliance with PCI.

So, place your items, tap to pay, and be on your way. Mashgin’s got security covered.