How Top Employee Wellness Programs Stay Totally Secure
Here are the top 10 ways to maintain the security of your wellness platform.
All employee wellness programs involve managing private information. This can include personal health information (PHI), identification numbers, and other sensitive information, so a sophisticated security procedure is key for maintaining the privacy of your participants. To make sure your program is in line with HIPAA and HITECH laws (US) or PIPEDA (Canada), here are the top 10 ways to maintain the security of your wellness platform and abide by employee privacy laws.
- Use a Single Sign On. The best programs are the simplest. Simplify your program with a single sign on (SSO) to integrate your wellness portal and your intranet or other providers. Industry standards must be met, so choosing a standards-based SSO, such as SAML2, will provide an easier implementation path.
- Segment data so you can view for one client or individual at a time (without accessing any other customer data.) And make sure that you can delete and restore data for specific groups or individuals, too. Top organizations produce a logical diagram for the configuration that they can share with clients and participants. Database and application segmentation must be considered in the initial stages of design. See more here.
- Fail-safe your data with a redundant service in a different location. If the main system fails, do you have standby equipment? Duplicate production services that require extra management, and link the two wellness portals for effective administration and quick recovery.
- Quick service restoration in the event of a crash. A primary concern for many organizations is the ability to get back online if the system crashes. In the event of a crash, you’ll want information that was backed up less than an hour before the incident. Make sure that your information is frequently and automatically backed up.
- Meet or exceed industry standards for wellness technology security. There are numerous standards regarding private information storage. Providing a standardized approach to security assessment, authorization, and continuous monitoring require resources and significant technology costs, but they’re necessary to keep your participants’ information safe. Store your information in a physically safe location.
- Software development. Is your software development process up to industry standards? Software Development Lifecycle indicates the robustness and integrity of service, which indicates quality and security during wellness technology software’s lifecycle.
- Ensure personal health information (PHI) is valid. Organizations want to ensure that controls are in place to prevent manual edits (from site managers, etc), cross-site scripting, or SQL injections to effect client data records. Developers must keep this in mind as they create the software, and have continuing control checks to make sure information is unaffected by software glitches.
- Have a strong risk management process (for all parts of your business). For everything from logistics to HR and IT infrastructure, risk assessments are extremely important for overall information security. Do you have a risk management plan? Make sure to review it at least annually, taking into account the likelihood of identified risks.
- Provide legally admissible forensic data. In the event of a security incident (especially a breach in confidential information where legal issues arise), being able to provide proof that evidence was not altered is crucial. Strict operating procedures must be in place and all actions recorded with respect to how evidence was collected to ensure it’s legally admissible. See more information in this article.
- Review your PHI policies with staff. A major cause of privacy violations is due to accidental data disclosures by staff. Do your employees know how to protect PHI? Make sure your policies are clear and have recurring trainings to review your procedures and risk assessments.
While this can seem overwhelming, CoreHealth has security experts ready to help you carefully navigate security so you can confidently protect wellness program participants. Whether you’re looking to create or buy wellness technology, these 10 points are a starting place to make sure your program is secure and in line with employee privacy laws.
Want to speak with a CoreHealth security expert? Contact us!
About CoreHealth Technologies
CoreHealth Technologies Inc. is the leading corporate wellness platform trusted by wellness providers for more than 1000 organizations, ranging from medium-sized businesses to Fortune 500 enterprises. At CoreHealth, we believe that developing the best employee wellness programs is all about giving wellness companies the right code, design and access to the latest innovations. With the most customization, integrations and reliability of any software in its class, CoreHealth’s powerful platform lets users focus on growing great companies. For more information, explore the CoreHealth website.
Written by Laura Neuffer
Laura Neuffer, M.S., has 9 years of experience in corporate wellness.