March 11, 2014

Dear Centricity Customer,

We would like to make you aware of developments regarding all versions of the Centricity Patient Portal and its standard Quick Pay eForm.

Payment Card Industry (PCI) Security Standards Council

The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS)1. The PCI DSS defines workflow and technology recommendations that reduce the risk of payment card fraud for organizations that collect and store this information. It is recommended that organizations use products that are PCI certified to reduce this risk.

We have been informed that the Quick Pay eForm, which enables the collection and storage of payment information on the Centricity Patient Portal, is not a PCI certified product. GE Healthcare wants to make our clients aware of the situation and to provide them with instructions to ensure their adherence to PCI recommendations. GE Healthcare has not been made aware of any actual breaches related to the use of this form or any other custom e-form intended for payment information collection.

Recommended Actions for Organizations Who Do Not Use the Quick Pay eForm

For organizations that have not collected payment card information by using the Quick Pay eForm or any other custom e-form within the Centricity Patient Portal intended for payment information collection, we recommend that you do not begin collecting such information.

The PCI Security Standards Council does not enforce their security recommendations. If you are not part of a larger institution that performs annual PCI compliance assessments, it is recommended that you perform annual self-assessments. More information can be found at https://www.pcisecuritystandards.org/merchants/.

Recommended Actions for Organizations Who Do Use the Quick Pay eForm

For organizations that are using the Quick Pay eForm within the Centricity Patient Portal, please follow the steps below to align with PCI compliance recommendations:

1. Stop collection of payment card information

Disable the Quick Pay eForm, or any other custom e-form intended for the collection of payment card information, from displaying in the Centricity Patient Portal by following the steps below:

- Log into the Centricity Patient Portal as an Administrator and select the Admin link in the upper right hand corner

- Navigate to the Pages Tab, find the Quick Pay eForm and delete it by clicking the red X - Navigate to the Webboxes Tab to delete the Webboxes linked to the Quick Pay eForm

2. Remove collected payment card information

Delete all payment card information that resides in the Centricity Messaging Center by following the steps below:

- Log into your Centricity system and navigate to Centricity Clinical Messenger

- Locate the secure messages that contain payment card information and delete them. You can search for secure messages with the subject, “Quick Payment”. If you are not using system defaults, search for the secure message subject line associated with your Quick Pay eForm.

- Navigate to the “Deleted Items” folder and delete its contents

The PCI Security Standards Council does not enforce their security recommendations. If you are not part of a larger institution that performs annual PCI compliance assessments, it is recommended that you perform annual self-assessments. More information can be found at https://www.pcisecuritystandards.org/merchants/

Contact Information and Product Replacement

If you need assistance or have any questions, or if you would like to replace functionality provided by the Quick Pay eForm with another PCI compliant offering, please contact Centricity Support Services by calling 1-888-436-8491 or via email at [email protected]. 1 https://www.pcisecuritystandards.org/index.php