There’s no shortage of headlines on data breaches in healthcare.
Once again, federal agencies warn that cybercriminals are unleashing ransomeware attacks against the U.S. healthcare system designed to lock up hospital information systems. These and other frequent revelations erode consumer trust in health systems to protect patient data. And they send a chilling warning to chief information officers — protect PHI or risk millions in fines and litigation.
Health systems rely on third-party vendors for care delivery and coordination. But they present an additional vulnerability. Any weakness in their security is a weakness in yours.
“Healthcare has always been a target of cyber security threats, most recently shown by the spike in ransomware attacks to U.S. hospitals and healthcare providers. WELL remains committed to deploying and enforcing the latest security measures to protect the integrity, confidentiality, and availability of the data we receive and store,” says Sam Jo, WELL Chief Information Security Officer. “Protecting our customers and the patients they serve is and always will be a top priority for us.”
#1 Security starts with people
Research published in the Journal of the American Medical Association found that more than half of data breaches in healthcare were triggered by internal negligence. Carelessness. At WELL, we take this risk to heart. We conduct security and compliance training upon hire and regularly throughout the year. Additionally, prior to receiving access to systems, employees must complete additional compliance and best practices training. They also must acknowledge their understanding of our acceptable use policies.
#2 Maintain an information security management program
WELL guards patient health information carefully and remains fully committed to deploying and enforcing the latest information security frameworks. We will protect the integrity, confidentiality, and availability of the data we receive.
We maintain a comprehensive written information security program that covers all aspects of our information security practices, policies, and procedures, including all 19 domains of HITRUST.
#3 Develop with security in mind
The WELL development team employs secure coding techniques and best practices from The Open Web Application Security Project (OWASP) as well as SANS. Each of WELL’s developers receives formal training in secure web application development practices. We also use a peer-review model to ensure code complies with stated objectives.
Additionally, WELL’s code base is scanned at minimum on a quarterly basis, and the security team is tightly integrated with the development process to ensure secure coding practices are being followed.
#4 Store and encrypt data
WELL has a robust program for storing and encrypting data. We store data in the US in two distinct geographic regions and run databases in a private subnet. That means they’re not exposed to the internet, and access is restricted to the WELL application and authorized personnel. WELL also encrypts data in transit and at rest, and performs nightly backups.
WELL maintains a documented vulnerability management program. It includes periodically scanning, identifying, and fixing security vulnerabilities on servers, workstations, network equipment, and applications.
#5 Simulate threats
WELL is Veracode Verified and works with third parties to conduct penetration tests at least annually. These tests mimic an outside attack to ensure a full view of our environment. “WELL is committed to delivering secure code to help organizations reduce the risk of a major security breach. Companies that invest in secure coding processes and follow our protocol for a mature application security program are able to deliver more confidence to customers who deploy their software,” said Asha May, CA Veracode.
#6 Manage risks
The WELL risk management process aims to promptly address any potential risks that could affect the business and assets of the company. WELL utilizes the NIST framework for internal risk assessments. We also employ independent external auditors and consultants to perform risk analysis of WELL’s security posture.
#7 Prepare for the worst
Even with all of the correct security safeguards in place, incidents happen to even the most reputable organizations. WELL maintains a trained Incident Response Team which includes members of all integral functions across the business in order to quickly address potential incidents. The team meets regularly and has a clearly defined approach for handling potential threats.
Choose a vendor that takes security as seriously as you do
WELL serves many of the leading enterprise health systems, including Cedars-Sinai, Houston Methodist, and NYU Langone. Their security standards are the best in the business.
Deepak Chaudhry is National Health IT & HITRUST Leader at BDO, whichc conducted WELL’s HITRUST audit. He said, “WELL’s security program is particularly impressive, and security has clearly been a primary focus since the company’s beginning. WELL has made sure to consider the end-to-end data flow process, and they’ve conscientiously deployed all the necessary controls to best address safety, privacy, and potential risk.”
“We protect the patient information we receive as if it’s our own, because we have that responsibility,” Jo says. “Our environment and processes are built and maintained with a full understanding of the weight and sensitivity of the information we handle, and knowing we need to protect against the many threats that exist within information security.”♥