With medical devices increasingly connected to the internet, healthcare providers are relying on and sharing information digitally. For healthcare providers, non-compliance with security protocols that protect patient data can cost a fortune. A study from the last five years of breaches reveals how costly it is when data is exposed through negligence or by hackers. Risk with shared data is striking.
Source: U.S. Department of Health and Human Services Office for Civil Rights
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was introduced to protect patients’ confidentiality while enabling healthcare service organizations to pursue innovative methods of providing superior medical care. With the internet in its infancy and the rise of more connected computers, companies started investing in systems that enabled them to manage records more efficiently. Fast forward 10 years where doctors started relying on software to help them make better decisions for their patients. Software-backed systems became the next phase of healthcare’s digital transformation.
When it comes to developing software for the healthcare industry, an application needs to be HIPAA-compliant if it deals with consumption, storage, processing and transmission of healthcare records.
Now a true story
About 10 years ago, a prominent pharmacy in the US partnered with us to develop their software. The customer offers a wide range of pharmacy software products that are used by almost 30% of US pharmacies over the last 30 years. The project initially started with building the core applications that will be sold to retail pharmacies, including drugstore chains, supermarkets, mass merchants, independents, and co-operatives.
To leverage cost, we proposed the offshore model for development and testing while program management and billing would happen locally. While the economies of offshore made sense, there was skepticism related to information security. Topics brought up during initial discussions were:
- PHI (Patient Health Information) Security
- Encryption of Healthcare Documents
- Encryption of Connectivity (IPSEC, VPN)
- Network Security – Isolation of client network using VLAN.
- Secure Internet Connectivity
- Machine Level Security
- Two Factor Authentication for remote Access Users
- Certified IT Resources
In summary, how do we ensure our data is safe? What if data gets misplaced or lost or overwritten? Ten years ago, the processes and infrastructure related to offshore development were not as mature as they are today. With looming threats, entrusting information with a small, relatively unknown company located on the other side of the hemisphere sounded recklessly adventurous, to say the least.
We knew we had an uphill battle here. Implementing and delivering on certain policies and procedures that complement HIPAA would be our first promise. The project was challenging from the get go but we were up to the task of allaying any security concerns.
The journey
We began with evaluating and re-evaluating our processes, infrastructure and technology. With a focus on delivering value to our customers, a plan was drawn to take measures to protect data and ensure it went beyond our customer’s initial concerns.
Processes
People first
We started with orienting our workforce on data protection and security. We later made it a practice to educate all associates on InfoSec before they started work on this project.
Security Audit
The customer was also deeply concerned about the data misuse over the internet. We carried out an application-level security scan and a multi-phase approach was adopted to conduct the application security assessment. This pointed out various vulnerabilities and described the severity levels and the impact of the risks in a comprehensive report.
ISO 27001
We went the extra mile and followed all processes required for the ISO 27001:2013 certification. This demonstrated good security policies and procedures that help to bring information security under management control.
By implementing ISO 27001 and maintaining an Information Security Management (ISM) system we achieved an 87% in the first two years of customer audits.
Infrastructure
Securing the network
We took multiple measures to ensure data travelled safely, starting with encrypted connectivity. The IT team first initiated an IPSEC tunnel, which operates across the public network but remains private, by establishing encrypted tunnels. We then isolated the client network using VLAN. Access Control Lists (ACL) were used for separation of networks and all traffic passing through the tunnel was filtered through Unified Threat Management (UTM) firewall with project specific policies, allowing only authorized traffic.
Securing the machines
Every machine that was involved was secured using BitLocker and the network access was given only through Active Directory Authentication. With this, only users with a valid MAC address can connect to Synerzip’s network, which is also controlled by Radius authentication.
The team also implemented two-factor authentication method for VPN connection through SSL by deploying FreeRADIUS with Google Authenticator.
Values
Sense of ownership
This project’s level of access to real-world data required a high level of responsibility. To safeguard against hacking, we appointed well-certified professionals with industry-leading certifications, such as EC-Council Certified Security Analyst (ECSA) and Certified Ethical Hacker (CEH), along with Microsoft and Cisco Certifications. We developed a 24/7 support operations team to ensure security and compliance were met at all times.
Transparency
Building a strong relationship with our customer meant we had to expose the application’s vulnerabilities and report incidents as they happened. Being transparent was foremost, followed by going the distance to fix the vulnerabilities. The reports were always current with live updates so the customer had a full view to ensure that the product being developed matched industry standards.
Learning organization
The customer considered us as a partner in their growth process. This stemmed from the fact that we are an organization focused on learning the latest technologies and advising the customer on best practices. With this initiative, the Enterprise Data Warehouse (EDW) solution was hosted on an Oracle database. Eight years and two PoC’s later, the customer was able to decide whether to move to a Hadoop-based platform or a cloud-based data warehouse service. The customer decided to use Snowflake and Looker as their EDW and reporting platforms. This was made possible due to the spirit of finding innovative ways to solve business problems with help of latest technologies that will fit the business needs and deliver the desired outcome.
What we learned?
Over the past 10 years, we have consistently delivered outcomes that matter. Our value system protects and nurtures talent, which in turn adds value to our customers’ projects. This project started with 10 team members and it is now a strong, 90-person team. Great team work, supported by best-of-breed technology and processes tailored to the customer, continues to give customers confidence in our promise and execution. Measures taken to protect data has reduced the perceptible risk with shared data.
The future…
The sense of project ownership and a culture focused on learning has allowed us to push the limits on technology by proposing faster, more secure and more robust stacks for our customers’ products and solutions. The next frontier in this project’s journey is moving from an overcapacity local infrastructure to the cloud in order to reduce the cost of support and maintenance and increase scalability.. Although this story has a successful outcome, it doesn’t end here. Anxiety over patient data being in the cloud brings back memories of how this project started in the first place. But, as always, we have an answer: our people. We’ve worked on many other migration projects to Azure, AWS or Google Cloud during the lifetime of this project, and this experience give us the confidence to make the educated recommendations that our customer have come to expect from us.
Stay tuned for what happens next on this project’s journey.
Note: Client confidentiality is important to Synerzip. This is a referenceable customer of ours. If you like to verify, please contact us.
Additional Resources:
For self-paced training, please point to: https://www.hhs.gov/hipaa/for-professionals/training/index.html
For a detailed ruling on Omnibus, please point to: https://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
