7 ways WELL protects patient health information


There’s no shortage of headlines on data breaches in healthcare.

Once again, federal agencies warn that cybercriminals are unleashing ransomeware attacks against the U.S. healthcare system designed to lock up hospital information systems. These and other frequent revelations erode consumer trust in health systems to protect patient data. And they send a chilling warning to chief information officers — protect PHI or risk millions in fines and litigation.

Health systems rely on third-party vendors for care delivery and coordination. But they present an additional vulnerability. Any weakness in their security is a weakness in yours.

“Healthcare has always been a target of cyber security threats, most recently shown by the spike in ransomware attacks to U.S. hospitals and healthcare providers. WELL remains committed to deploying and enforcing the latest security measures to protect the integrity, confidentiality, and availability of the data we receive and store,” says Sam Jo, WELL Chief Information Security Officer. “Protecting our customers and the patients they serve is and always will be a top priority for us.”

#1 Security starts with people

Research published in the Journal of the American Medical Association found that more than half of data breaches in healthcare were triggered by internal negligence. Carelessness. At WELL, we take this risk to heart. We conduct security and compliance training upon hire and regularly throughout the year. Additionally, prior to receiving access to systems, employees must complete additional compliance and best practices training. They also must acknowledge their understanding of our acceptable use policies.

#2 Maintain an information security management program

WELL guards patient health information carefully and remains fully committed to deploying and enforcing the latest information security frameworks. We will protect the integrity, confidentiality, and availability of the data we receive.

We maintain a comprehensive written information security program that covers all aspects of our information security practices, policies, and procedures, including all 19 domains of HITRUST.

#3 Develop with security in mind

The WELL development team employs secure coding techniques and best practices from The Open Web Application Security Project (OWASP) as well as SANS. Each of WELL’s developers receives formal training in secure web application development practices. We also use a peer-review model to ensure code complies with stated objectives.

Additionally, WELL’s code base is scanned at minimum on a quarterly basis, and the security team is tightly integrated with the development process to ensure secure coding practices are being followed.

#4 Store and encrypt data

WELL has a robust program for storing and encrypting data. We store data in the US in two distinct geographic regions and run databases in a private subnet. That means they’re not exposed to the internet, and access is restricted to the WELL application and authorized personnel. WELL also encrypts data in transit and at rest, and performs nightly backups.

WELL maintains a documented vulnerability management program. It includes periodically scanning, identifying, and fixing security vulnerabilities on servers, workstations, network equipment, and applications.

#5 Simulate threats

WELL is Veracode Verified and works with third parties to conduct penetration tests at least annually. These tests mimic an outside attack to ensure a full view of our environment. “WELL is committed to delivering secure code to help organizations reduce the risk of a major security breach. Companies that invest in secure coding processes and follow our protocol for a mature application security program are able to deliver more confidence to customers who deploy their software,” said Asha May, CA Veracode.

#6 Manage risks

The WELL risk management process aims to promptly address any potential risks that could affect the business and assets of the company. WELL utilizes the NIST framework for internal risk assessments. We also employ independent external auditors and consultants to perform risk analysis of WELL’s security posture.

#7 Prepare for the worst

Even with all of the correct security safeguards in place, incidents happen to even the most reputable organizations. WELL maintains a trained Incident Response Team which includes members of all integral functions across the business in order to quickly address potential incidents. The team meets regularly and has a clearly defined approach for handling potential threats.

Choose a vendor that takes security as seriously as you do

WELL serves many of the leading enterprise health systems, including Cedars-Sinai, Houston Methodist, and NYU Langone. Their security standards are the best in the business.

Deepak Chaudhry is National Health IT & HITRUST Leader at BDO, whichc conducted WELL’s HITRUST audit. He said, “WELL’s security program is particularly impressive, and security has clearly been a primary focus since the company’s beginning. WELL has made sure to consider the end-to-end data flow process, and they’ve conscientiously deployed all the necessary controls to best address safety, privacy, and potential risk.”

“We protect the patient information we receive as if it’s our own, because we have that responsibility,” Jo says. “Our environment and processes are built and maintained with a full understanding of the weight and sensitivity of the information we handle, and knowing we need to protect against the many threats that exist within information security.”♥

WELL is now HITRUST CSF Certified


We’ve got big news! After a rigorous, multi-step process, WELL officially received HITRUST CSF Certification for our patient communication platform.

Just in case you’re not up on the latest in healthcare security, trust us, this is exciting. It means that the security and privacy of our platform meet comprehensive, meticulous standards.

Most of the information about HITRUST CSF Certification is a little confusing and technical, to say the least. So we’ve put together some material on why it’s important and what it means for the health systems that use WELL.

What is HITRUST?

HITRUST is a standards organization whose programs and services help safeguard sensitive information and manage information risk for global organizations across all industries. The organization’s evaluation criteria draw from prominent safety standards, frameworks, and guidelines, including HIPAA, PCI, and ISO.

How does HITRUST evaluate companies?

HITRUST evaluates companies using 19 domains, which are designed to address every facet of a business’s security operations. Those domains are:

  • Information protection program
  • Endpoint protection
  • Portable media security
  • Mobile device security
  • Wireless security
  • Configuration management
  • Vulnerability management
  • Transmission protection
  • Network protection
  • Password management
  • Access control
  • Audit logging and monitoring
  • Education, training, and awareness
  • Third-party assurance
  • Incident management
  • Business continuity and disaster recovery
  • Risk management
  • Physical and environmental security
  • Data privacy and protection

Vendors who meet HITRUST standards — usually after multiple rounds of evaluation and correction —are issued CSF certification.


The HITRUST CSF is a rigorous set of controls that covers, among other sources, all the requirements of HIPAA. At WELL, we’ve mapped our security controls to ensure we’re compliant with both HITRUST and HIPAA.

But it’s important to note that while many healthcare vendors claim HIPAA compliance, there’s no definitive third-party that verifies HIPAA compliance. Basically, you have to take a company’s word for it. In contrast, HITRUST CSF Certification standards are set by a governing alliance, and an unbiased expert conducts the audit of each company.

Why does it matter?

Health systems are vulnerable to two basic kinds of breach: external attacks and internal errors.

Ransomware attacks more frequently target healthcare than any other industry. Patient health information is considerably more valuable than a social security or credit card number on the black market.

But while hacking and malware are the most high-profile threats to health systems, accidental disclosures are a major problem as well. (The most frequent culprit varies from quarter to quarter, and year to year.)

An effective security system protects against both.

And while the number of breaches has actually declined in recent years, individual incidents are becoming more severe. The average number of people affected per breach more than doubled between 2017 and 2018, a Bitglass report found.

In short, there’s a lot at stake for health systems, who bear an enormous responsibility toward their patents. Our HITRUST CSF Certification helps us ensure that patient health information is kept safe from both external threats and internal errors.

How did WELL get HITRUST CSF Certified?

An authorized third-party, external assessor — in this case, the widely respected firm BDO — conducted a wide-ranging audit of WELL’s security operations and architecture. We then submitted the BDO report to HITRUST’s governing body so they could perform their own assessment.

Using two different layers of review by two different assessors is deliberate. It’s designed to ensure that no corner of a company’s security protection goes untested.

How long does HITRUST certification last?

HITRUST certification is valid for two years. About one year in, HITRUST will conduct an interim review, just to make sure we haven’t made any significant changes or experienced any breaches.

How does HITRUST help WELL clients?

Essentially, it means that clients can be completely confident in WELL’s handling of sensitive information, whether it’s being transferred or stored. As BDO’s National Health IT Leader, Deepak Chaudhry, put it: “WELL has made sure to consider the end-to-end data flow process, and they’ve conscientiously deployed all the necessary controls to best address safety, privacy, and potential risk.”

And in turn, WELL’s HITRUST CSF Certification means it’s easier for our clients to prove the safety of their own patient data during assessments or audits. This is precisely why vendor assessment programs are placing a higher emphasis on security requirements: It not only means greater assurance, but also cost and time savings for health systems during third-party reviews.

This was a comprehensive undertaking — exactly as it should have been — but we’re so glad we went through the process. We know what an extraordinary responsibility it is to be entrusted with sensitive data, and we want our customers to know we’re worthy of their faith in us. ♥

Get Started

Find out how WELL’s enterprise communication hub can make it easy to engage patients for world-class clinical and administrative experience.