There’s no shortage of headlines on data breaches in healthcare.
These frequent revelations erode consumer trust in health systems to protect their sensitive information and send a chilling warning to chief information officers — protect PHI or risk millions in fines and litigation.
Third-party vendors, which health systems rely on for care delivery and coordination, present an additional vulnerability — any weakness in their security is a weakness in yours.
“At WELL, we understand that every vendor you use becomes an extension of your health system,” says Sam Jo, WELL Chief Information Security Officer. “That means our security matters as much as your own security efforts, and it means that every new company you work with needs to be held to the same high standards you use for your health system.”
#1 Security starts with people
Research published in the Journal of the American Medical Association found that more than half of data breaches in healthcare were triggered by internal negligence — that is, human errors. At WELL, we take this risk to heart and conduct security and compliance training upon hire and regularly throughout the year. Additionally, prior to receiving access to systems, employees are required to complete additional compliance and best practices training and to acknowledge their understanding of our acceptable use policies.
#2 Maintain an information security management program
WELL guards patient health information carefully and is fully committed to deploying and enforcing the latest information security frameworks to protect the integrity, confidentiality, and availability of the data we receive.
We maintain a comprehensive written information security program that covers all aspects of our information security practices, policies, and procedures, including all 19 domains of HITRUST.
#3 Develop with security in mind
The WELL development team employs secure coding techniques and best practices from The Open Web Application Security Project (OWASP) as well as SANS. Each of WELL’s developers are formally trained in secure web application development practices. We also use a peer-review model to ensure code complies with stated objectives.
Additionally, WELL’s code base is scanned at minimum on a quarterly basis, and the security team is tightly integrated with the development process to ensure secure coding practices are being followed.
#4 Store and encrypt data
WELL has a robust program for storing and encrypting data. We store data in the US in two distinct geographic regions and run databases in a private subnet. That means they’re not exposed to the internet, and access is restricted to the WELL application and authorized personnel. WELL also encrypts data in transit and at rest, and performs nightly backups.
WELL maintains a documented vulnerability management program which includes periodically scanning, identifying, and fixing security vulnerabilities on servers, workstations, network equipment, and applications.
#5 Simulate threats
WELL works with third parties to conduct penetration tests at least annually. In WELL’s latest external penetration test, performed by Veracode, WELL received a 100% score with no vulnerabilities found. These tests mimic an outside attack to ensure a full view of our environment.
#6 Manage risks
The WELL risk management process aims to promptly address any potential risks that could affect the business and assets of the company. WELL utilizes the NIST framework for internal risk assessments and also employs independent external auditors and consultants to perform risk analysis of WELL’s security posture.
#7 Prepare for the worst
Even with all of the correct security safeguards in place, incidents happen to even the most reputable organizations. WELL maintains a trained Incident Response Team which includes members of all integral functions across the business in order to quickly address potential incidents. The team meets regularly and has a clearly defined approach for handling potential threats.
Choose a vendor that takes security as seriously as you do
WELL serves many of the leading enterprise health systems, including Cedars-Sinai, Houston Methodist, and NYU Langone. Their security standards are the best in the business.
“We protect the patient information we receive as if it’s our own, because we have that responsibility,” Jo says. “Our environment and processes are built and maintained with a full understanding of the weight and sensitivity of the information we handle, and knowing we need to protect against the many threats that exist within information security.”♥
Never miss a story.
Get expert tips on communicating with your patients straight to your inbox, and improve your patient experience!
Pamela Ellgen is WELL’s Health Editor. She began her career in community journalism and is the author of more than a dozen published books. She is a graduate of Washington State University.