Cloud-based platform services have come a long way in the past 5-10 years. I can remember meeting with TPA owners and health plan leaders and IT departments explaining how our portals were actually more secure and compliant than their own infrastructure.
Now that cloud-based platforms are an accepted technology (and in many cases, a preferred technology), people see the value more immediately. However, I still think payers need to ask tough questions when selecting platform services. In particular, you should ask:
- What is included in your SOC 2 audit?
A SOC 2 audit from an external auditor is an absolute must-have for a cloud-based platform service. It This audit assures you that the cloud-based platform you choose is managed with strict defenses and controls to ensure that data centers, networks, and staff adhere to all applicable HIPAA regulations regarding privacy and security. For example, to ensure that a platform service uses industry-accepted controls and safeguards for hosting, monitoring, and processing information, auditors will perform checks like:
- Coming in before hours of operation to make sure doors are locked
- Checking trash receptacles for PHI
- Looking at screens to make sure people don’t leave screens up
- Checking physical security of data centers
But don’t just ask if a platform service provider does this audit and how often they do it. Dig a little deeper to uncover the differences. For example, most SOC 2 audits do not cover the development process – meaning a developer can make a code change and push it to production without authorization. At Healthx, we have put in checks to prevent that. This is important to do in an agile company that releases updates every month. For more details about security practices at Healthx, scroll down to the Frequently Asked Questions below.
- Which penetration tests to you run and how often do you run them?
Thorough penetration testing is another must-have. This testing looks for vulnerabilities in systems. Some companies they just buy one suite of penetration tests (for example, HP makes one) and run the tests annually. Also, they have a tendency to assume that most of the test results are false positives, so they close them all and move on. To be blunt, once a year is not enough – and every test result should be investigated thoroughly.
At Healthx, we run our own penetration testing every month with every release. In addition, on at least a quarterly basis we have clients who have their security teams run penetration testing on us and send the report to us. That’s why we are one of the most extensively tested solutions – because we use our tests, plus just about every other test out there through our clients. Again, you can find more details in the Frequently Asked Questions below.
- Do you use modern SSL encryption?
SSL encryption is more difficult that it may seem. Although it is hard to do right, it’s essential for us because we work with clients who are asking for it. Actually, you don’t even need to ask a platform service whether they use it; you can actually run your own SSL check on any site. Just go to the SSL server test powered by QualSys SSL –it’s at https://www.ssllabs.com/ssltest/. Trust me, I go there all the time to check my banks – and, of course, Healthx!
Frequently Asked Questions about Healthx security
What is the physical security access and process for visitors, suppliers and employees?
Our data center facility is protected by a variety of sophisticated security systems that include biometric hand-scanners, card readers, video monitors, glass breakage alerts and a 24/7 on-site security team. In our offices, keypad entry is required on all doors. To access information technology equipment requires keypad entry to a secure computer room. Our lobby has a motion-based camera and visitors must sign-in and be escorted while in our offices.
What is the physical security access for highly secure rooms?
Highly secure rooms require a security card and key to access individual cabinets. Within our offices, there is a separate computer room that requires keypad access and it is only provided to information technology personnel.
What is Healthx’s fire suppression system?
Healthx’s F220 fire suppression system includes standard office sprinklers and separate fire extinguishers.
What are Healthx’s information security policies, standards and procedures?
Only authorized users are granted access to information systems. Users are limited to specific defined documented and approved applications, including levels of access rights. Computer and communication system access controls are achieved through user IDs that are unique to each individual users to provide accountability. Updates to policies and standards are communicated to Healthx employees by email and on our internal website.
What steps has Healthx taken to ensure that only appropriate personnel can access data records and files?
Healthx has measures in place to ensure that only appropriate personnel can access data records and documents. All accounts assigned to Healthx employees and contractors are given appropriate security levels. We conduct reviews to ensure that only active employees are granted access and we remove access when it is no longer needed. Changes in job roles require a review of the employee’s access. We also adhere to control procedures established by our SOC2 audit.
Does Healthx prohibit employees from saving Personal Health Information-Personally Identifiable Information (PHI-PII) on non-company computers?
Healthx prohibits employees from saving Personal Health Information – Personally Identifiable Information (PHI-PII) on non-company computers. It’s our policy that no PHI is stored on individual hard drives. Employees found to have violated this policy may be subject to disciplinary action, up to and including, termination of employment.
Does Healthx have documentation in place to respond to a disaster event?
Healthx maintains a HIPAA guide that includes a comprehensive disaster recovery plan. It is designed with multiple levels of redundancy to protect our clients against an unplanned interruption to their service. The steps within our disaster recovery plan are tested monthly.