Healthcare providers–whether in-patient, ambulatory, or ACO–are increasingly adopting SaaS (software-as-a-service) models because it frees up capital, requires less up-front spending, and shifts routine “break-fix” work off their IT people and onto the software vendor.
But SaaS isn’t the only acronym bounced around when vendors meet healthcare providers – HIPAA is sure to be at or near the top of the jargon list, typically linked to words like “compliant” or “certified.” The only problem is there’s no such thing as HIPAA-certified software – and being “compliant” doesn’t mean you’re “secure” any more than posting a no-soliciting sign stops sales people from knocking on your door.
While HIPAA is the name everyone knows, it’s only part of the story when it comes to security and cyber defense. News media coverage would have us believe that the greatest cybersecurity threat to healthcare data is from state-sponsored cyber attacks, like those alleged to be perpetrated by Russia and China. While there are some large-scale hacks aimed at capturing huge amounts of Protected Health Information (PHI), the far more common and perhaps even more troublesome security issue plaguing healthcare providers is “breaches” of security.
Hacking vs. Breaches
I’m going to overgeneralize and oversimplify things a bit. The term “hack” normally indicates an external threat compromising a system to steal data, patient information, etc. On other hand, “breaches” includes things like insider threats as simple as clinical or administrative staff looking at patient information when they have no reason or authority to do so, in short, good old fashioned nosiness.
Don’t Let Your Vendor Sass You
Some healthcare software vendors, whether as a sales tactic or through ignorance, imply that their software is secure because the data center where their application servers reside has high-level security compliance and certification, known as SOC 2 (Service Organization Controls).
But, much like flying in an airplane doesn’t mean you’re a pilot, your SaaS provider housing servers inside a SOC 2 compliant data center doesn’t mean their software is compliant with stringent security principles and protocols like SOC 2.
When a data center reports it is “SOC 2 compliant,” that relates to physical things like requiring two- or three-factor authentication to enter the data center, or that they provide redundant cooling, power and Internet pathways. The same holds true if your SaaS solution is being hosted in an Amazon Web Services (AWS) or Microsoft Azure environment – neither Microsoft nor Amazon are monitoring or updating your software, nor will they alert you to impending software operational issues.
What the SaaS vendor does inside that data center, specifically when it comes to security and privacy policies, procedures and principles that govern the way your SaaS software stores, protects and access sensitive data like PHI – that almost always is the healthcare provider’s responsibility – whether they know it or not.
Because security and privacy in healthcare are very black-and-white issues – you never want to find yourself in a gray area when facing a HIPAA audit – Lightbeam made the strategic decision, and investment, early on to ensure that its SaaS-based population health platform is fully SOC 2 compliant.
It’s important to have that level of compliance in healthcare so that your SaaS solution meets the security procedures you want. Security tasks your SaaS vendor should provide include:
- Ensuring that your database is routinely and frequently backed up
- Having stout anti-virus programs running properly on every server
- Enforcing the requirements you select that govern who from your organization is allowed to access your servers and system
- Helping you establish and manage a ticketing system that is properly reviewed and documented to be sure that technical changes or fixes for your SaaS solution are being made in accordance with your wishes and policies
There are many more elements for what constitutes true security compliance and certification, especially when it comes to SOC 2. It’s vital to have a SaaS provider who’s truly your partner and shares your goals for how technology, data analysis and data management supports the delivery of high-quality healthcare while enhancing the patient experience and lowering overall healthcare costs.
Asking SaaS providers up front about their SOC 2 security compliance and certification is vital, because once you’ve reached 35,000 feet, no one wants to hear that dreaded PA announcement, “Does anyone know how to fly a plane?”
Jay Orler, Lightbeam’s Vice President of Infrastructure & Security