OR WAIT null SECS
Health IT innovations require all stakeholders to bolster their cyberdefenses.
Image has been modified. Courtesy of Defense Systems.
It’s an exciting time to be a technologist in the healthcare industry. For many of us, the opportunity to impact lives in a positive way is giving meaning to our work that’s hard to find elsewhere. But with that opportunity comes a tremendous responsibility; the outdated Silicon Valley mantra of “move fast and break stuff” still strikes a chord of fear within the halls of health systems due to the sanctity of patient privacy and data security. As we entice health systems with our ability to build systems quickly, we must also prove that we can do so with the highest security standards.
I’d like to share how we’ve gone about building our company around security, in the hopes that it sparks conversation among other business leaders and technologists. This isn’t about what we do for clients — it’s what we do to protect ourselves.
First, it all starts with the culture. Culture is a loaded word, but in this context I am referring to the shared set of ideals and values that each of our staff members bring to work each and every day. Our main approach to security is to consider severe events a matter of “when” and not “if.” Therefore, any potential flaw in our security is the company’s No. 1 priority.
We continuously monitor our software and cloud configurations for anything that might constitute a risk, from accessibility of cloud infrastructure to code that introduces potential script attack vectors. Issues found using this process supersede any other work in priority. It is paramount that we reduce the occurrence of these issues, so that the team can focus on innovation and moving our company forward. It’s important to note that this does not work if not embraced at the highest levels of the company; it requires the full support of executives and founders.
Now that we’ve embraced security from the top down, we need an internal tool that will allow us to communicate internal our compliance status and next steps. If our goal here is perfection, we need a process that will make the final audit process a formality. Certifications and audits are cost prohibitive for smaller companies, forcing executive teams to make hard choices in order to get a stamp of approval from a third party.
In order to minimize that cost while still ensuring that we can sleep at night, we need a strategy for performing our own internal certification process. For Conversa, that has meant the continual use of the Cyber Security Alliance’s Consensus Assessments Initiative Questionnaire (CAIQ). This questionnaire provides an audit that covers everything from HITRUST to SOC2 to PCI compliance, not to mention the HIPAA privacy, security and notification rules, ISO 97001 and many others. This tool has allowed us to take compliance into our own hands, and I can’t recommend it enough if you have any doubts about where your technology stands.
A quick aside about shipping software updates: Relative to the rest of the technology industry, health systems and technology providers still tend to ship on a quarterly schedule at best, a glacial rate of change. Much of that is driven by fear — primarily, the fear of making that one change that brings about a disastrous regression. If we accept that mitigating regression risk is a key factor in security, let’s minimize the risk by minimizing the amount of change introduced to the system, by shipping software with more frequency. Smaller companies can move fast because they are typically unburdened with the heavy processes and bureaucracy that naturally develop as large businesses become enterprise companies, but we need to make sure we apply our security-first mentality by investing in continuous monitoring.
For companies striving to be first-rate technology partners to health systems, accept that enterprise systems view your technology with extreme skepticism, and therefore you have an opportunity and a responsibility to lead with security. Ensure that you are building within your team culture a sense of ownership around security — don’t silo responsibility to a separate team or owner.
We have the potential to move healthcare forward faster than ever before, and we can do so in a manner that has the potential to be more secure than our larger counterparts. Continuous deployment and monitoring minimize change, while requiring engineering and operations to work hand in hand, eliminating the silos that create risk.
Scott Anderson is CTO at Conversa Health, an intelligent patient relationship management (PRM) platform that allows doctors to deliver continuous, personalized care. Previously he was an engineer at WalmartLabs and Xerox. Connect with Scott on LinkedIn.
Get the best insights in healthcare analytics directly to your inbox.