Healthcare Tech 101: How to Excel in Security Reviews

Sze Hui
Doctors hands in view as they type on a laptop. Stethoscope is on table in front of laptop

Meet Roundtrip’s Guest Author – Sze Hui

Sze Hui, CSPO has spent over 8 years in the healthcare industry, leading efforts to optimize workflows and eliminate copy/paste through data interoperability and integrations. As a Solutions Architect, Sze guides health systems through the technical implementation process, bringing data flow and business process together in a cohesive and seamless way.

Stop me if you’ve heard this one before – you’ve found an incredible software product that you’re ready to bring into your organization. It addresses problems that you’ve been working for years to solve and at a great price. There’s just one last meeting with the IT security team to get through. You hop on to the meeting, confident that this is just a formality – and then the Chief Information Security Officer (CISO) starts firing off questions and acronyms. The vendor rep starts to shrink in front of their camera, and by the end of the meeting, everyone’s demoralized. Oddly specific? Well, I was once the vendor rep in this scenario. What follows is the story of how we turned a contentious CISO into a partner, and the lessons that everyone can draw from my experience.

Certifications Matter

Like in many other fields, there are a few certifications that will go a long way to easing a CISO’s mind. These certifications represent a stamp of approval that a vendor company has approached information security thoughtfully and thoroughly. Here are a couple to look for:

  • SOC 2 Type II – a certification developed by the American Institute of Certified Public Accountants, the SOC 2 Type II certification includes hundreds of control categories that range from how often server infrastructure software is updated, to physical access control to office buildings. SOC 2 Type II not only requires a thorough documentation of policies related to security, it also requires that companies prove they follow these policies through an annual independent audit. The two most significant outputs of this certification process are the audit results, as well as a document called the Information Security Management System (ISMS), which is the collection of all of the policies that SOC 2 Type II requires that a company create.
  • HITRUST – a certification developed by the HITRUST Alliance, the HITRUST certification covers much of the same ground as the SOC 2 Type II. The HITRUST certification aligns the controls it tests for with provisions of the Health Insurance Portability and Accountability Act (HIPAA), focusing in particular on the handling of electronic protected health information (ePHI). HITRUST audits are performed by assessor companies who are members of the HITRUST Alliance.

You’ll notice that HIPAA certification isn’t on this list. That’s because HIPAA does not, by itself, prescribe how a company should approach securing PHI, only that companies must do it. As a consequence, many companies can claim that they’re HIPAA compliant and take vastly different approaches to that compliance.

When selecting a health IT vendor, at a minimum your vendor should be able to provide proof of certifications upon request, and preferably should be able to offer that documentation proactively. At Roundtrip, we achieved an initial SOC 2 Type II certification in 2021, and have successfully maintained that certification in every year following.

Showing the Receipts

Having the ISMS document to point to goes a long way towards easing the mind of our doubtful CISO, but there were still many other questions to answer. Through the process of this sale, we ended up creating a set of collateral that we call the “Ham and Eggs” deck. (Our VP of Engineering named it with a golf reference about team members being able to cover for each other’s weaknesses.) This deck serves as a summary of key points from our ISMS, as well as providing visual context to approach things like:

  • Application architecture – applications that take full advantage of being in the cloud can look very different from those that are meant to be hosted on-premises. An application architecture diagram helps lay out how data flows, where it’s stored, and helps facilitate conversations about what’s under the hood. Common questions we get from customer information security teams include:
    • How is each customer’s data kept separate and private?
    • How are software releases and updates handled and communicated to customers?
    • How often are security updates applied?
  • Data policies, including around retention, and whether the data leaves the United States.

When it’s time to talk to the information security team, don’t go it alone. Have your vendor back you up on the call, with someone who’s able to dive deep into the details of their application’s technology infrastructure.

An ADT Feed of Few Words

In health tech, when we talk about an EMR integration, most of the time what we’re really referring to is a feed of data from the EMR into a receiving application. That feed is a little bit of a blunt instrument though – when a patient record changes, messages are blasted out to every interested party. If you’re not careful, your vendor may end up receiving much more data than they need. The more PHI is sent out from an organization, the bigger the potential blast zone from a data breach at a vendor, so it’s important to make sure that the feed of patient data is appropriate for the vendor application.

In some cases, it’s possible to design workflows such that an action in the EMR sends just one message, so the receiving vendor application gets only what they need to know. It’s more likely than not that an integration of some sort is going to be in scope as part of a health IT purchase, so as part of the purchasing process it’s important to consider whether and how the flow of data coming out of the EMR can be cut down to size.

Everyone Hates Passwords – Get Rid of Them

Everything we use on the web these days has a password – and it can be exhausting trying to keep track of them. I’ve seen people use everything from password managers (great) to a notes file on their computer (not so great) to a sticky note on the desk (aka the information security officer’s worst nightmare). Every additional account represents an additional risk of a data breach. How do we make sense of the madness? This is where single sign on shines – one click logon, no passwords to remember, and instant compliance to your organization’s security standards. Insist on having SSO as part of any vendor offering – your CISO will sleep better.

Conclusion – Getting to Yes

At the end of the day, the CISO is looking out for your organization’s best interests when it comes to information security. In an age of increasingly sophisticated bad actors on the Internet, the principle of “first do no harm” is especially important when it comes to stewardship of patients’ health data. Checking that your vendors are doing the right thing in regards to information security is something that’s necessary, if sometimes a little painful.

So, how did that customer scenario at the beginning turn out, and how do you make sure it doesn’t happen to you? After every painful conversation with the customer’s information security team, we learned, and came back with better documentation and better shareable material. Eventually, we were able to show that our technology practices were up to snuff, and this customer is now a valued partner. From this experience, we’ve built out an extensive library of shareable materials. Our tech conversations have grown much shorter, and it’s amazing how collegial they can be when a vendor is prepared, open, and honest. With a little bit of preparation and collaboration with your prospective vendor, this can be your experience too.

Ready to take on transportation problems at your organization, and need a partner who can put both your clinical and information security teams at ease? Reach out to our team here to get started.