Avoid a Data Disaster With Your Wellness Software
If you are a corporate wellness provider managing programs for clients, then privacy and security of employee data is critical. Learn how to prevent a data disaster and rest easy.
This is Part 1 of a 10-part Must Have blog series focussing on the security and compliance of your wellness technology. As a wellness provider, your success will greatly depend on the security of your data. And it’s not just because of a potential privacy breach (which would be devastating to your business’s reputation and the clients you serve) but also because you will need to respond to extensive security assessments and questionnaires just to win corporate wellness business.
ARE YOU CONFIDENT YOUR DATA IS SECURE?
DO YOUR DUE DILIGENCE
Wellness providers are often under intense scrutiny by clients to prove the data maintained within their corporate wellness software is secure and compliant with today’s rigorous requirements. It’s essential you do your due diligence and have the answers.
It’s also helpful to understand the most common privacy and security vulnerabilities so you know what kinds of scenarios you are trying to prevent.
BE PREPARED FOR DIFFICULT QUESTIONS
Do you provide tenants with documentation describing your Information Security Management Program (ISMP)?Because CoreHealth works with a variety of wellness providers, we are intimately familiar with the types of questions being asked. Some of which are below:
- Do your information security and privacy policies align with particular industry standards (ISO-27001, ISO-22307, CoBIT, etc.)?
- Can you provide evidence of due diligence mapping of your controls, architecture and processes to regulations and/or standards?
- Do you have documented information security baselines for every component of your infrastructure (ex. Hypervisors, operating systems, routers, DNS servers, etc.)?
- Do you have a capability to continuously monitor and report the compliance of your infrastructure against your information security baselines?
- Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting?
- Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques?
It’s also helpful to be familiar with the top 10 security questions to ask when choosing a wellness platform.
DO YOU HAVE THE ANSWERS?
As you contemplate these questions, consider the following:
- If you are partnering with a corporate wellness technology provider, ensure that they will assist you with all security due diligence processes - for free (ideally).
- Your technology provider must also be willing to provide onsite data center tours if you are servicing larger customers.
- If you are building your own platform, you will need to think about the long-term ramifications of security requirements such as ensuring that you have a reputable datacenter with willing support staff who can help you answer the physical and computer security questions.
- Depending on your geographic location and where in the world you service your customers, you may be subjected to privacy laws. For example:
- If you are a Covered Entity, you are required to comply with HIPAA and associated privacy law.
- If you or your customer is in Canada, you are subject to Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).
- If you work with employers with international employees, you need to be aware of specific laws of the countries.
As a Covered Entity, you must comply with the two HIPAA rules:
- The HIPAA Privacy Rule applies to all protected health information.
- The HIPAA Security Rule applies only to electronic protected health information.
As stated by HHS under its General Rules summary of the Security Rule, the HIPAA Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments.
Because of this flexibility, each risk assessment will be unique. If you are a small or medium sized covered entity, you can use HIPAA Risk Assessment to test your risk. Regardless of your size, be sure that you have your technology partner sign a Business Associate Contract that defines the rules under which they are to store your data.
GLOBAL PRIVACY RULES
If your business is global, or you support global national companies, it will be easier if you are able to store your data outside of the United States due to various Privacy laws which favor countries that enforce federal privacy law such as Canada. Canada is a good option as it is guided by privacy laws that are known to be some of the most stringent in the world and as such, is one of the few countries considered ‘adequate’ by the European Union’s stringent requirements.
SAFE TECHNOLOGY ENVIRONMENT
Regardless where your data is stored, look for these as indicators of a safe technology environment:
- Data center certifications: such as Type II SSAE 16 SOC 2 (Formerly SAS 70), SOC2/ISAE3402, AT101 SOC2 Type 2, etc
- As many as seven layers of security between the front door and an individual computer rack.
- Fully redundant - multiple telecommunications carriers, multiple geographically diverse locations
- Segregation between client data and traffic
- Least privileges methodology for application access
- Software developed using the secure code principles
- Encryption: Database TDE with at least AES256 on all data at rest and Transport Layer Security (https) during data transfer
- Mature backup procedures with low recover point objectives (RPO)
- Regular Vulnerability and Pentesting
- Unified Threat Management with Intrusion Detection and Prevention along with active monitoring
- Frequent security risk assessments
- Data Breach/Continuance Plan
- Regular staff training for protection Personal Health Information (PHI)
If you are in IT, this information probably isn’t overwhelming at all but may come with a few surprises.
However, if you’re a ‘non-techie’ type, it’s important to understand these considerations to ensure you find a platform provider that is familiar with these rules and can ‘talk shop’ with your in-house or technical IT team (so it’s easiest to just forward to them).
ABOUT COREHEALTH TECHNOLOGIES
CoreHealth Technologies Inc. is the leading corporate wellness platform trusted by more than 1000 organizations, ranging from medium-sized businesses to Fortune 500 enterprises. At CoreHealth, we believe that developing the best employee wellness programs is all about giving wellness companies the right code, design and access to the latest innovations. With the most customization, integrations and reliability of any software in its class, CoreHealth’s powerful platform lets users focus on growing great companies. For more information, contact CoreHealth or explore the CoreHealth website.
Written by Mark Duller
Mark has almost 20 years’ experience in various IT Administration and Security positions internationally. Prior to CoreHealth, Mark served as a Computer Security Specialist at the University of Oxford, England.