When implementing a corporate wellness platform, most sophisticated organizations perform a security and privacy assessment as part of their due diligence process. Know the essential questions to ask.
If the organization is located in the United States, HIPAA and HITECH are primary considerations while in Canada, PIPEDA and various Provincial Privacy Laws must be met. Regardless of where an organization is located, the considerations are very similar including both physical and logical security. If you have global employees, you may want to download our global privacy white paper to understand privacy laws around the world.
Know About Health Information Privacy and Security
As part of your due diligence, you likely researched multiple wellness portal vendors and may have conducted an indepth RFP process. Or, you followed a more streamlined technology checklist process. Regardless of what process you went, asking the right security questions are essential to make sure personal health information is safe and secure.
The Security Questionnaire
The overall security assessment process typically begins with the health technology vendor completing a security questionnaire. Questionnaires tend to have between 25 and 100 questions and will often be followed up by a meeting to review answers and clarify responses. In some cases, a member of the customer’s IT Security team will perform a site visit to review process documentation and verify the physical security at the data center.
Whether you are asking the questions or answering them, we thought it would be helpful to list the top 10 questions to ask with an explanation to help answer them correctly.
Top 10 Security Questions for a Wellness Platform
- Are you able to logically segment customer data so that only data for a specific client may be produced without accessing any other customer data, directly or inadvertently and be able to provide a logical diagram describing the configuration? Many organizations require complete separation of their data from other organization’s data. Database and application segregation that must be considered in the initial stages of service design. The gotchas are the performance considerations that must be taken into account in running many separate instances including management overheads of this approach. Separate environments must be taken into account for your backup strategy so that you can destroy and restore data for a specific organization.
- What is your ability to failover to a redundant service in a different geographic location? This involves duplicating production services that incur extra management and overhead concerns, along with the technical complexities of linking the two sites to allow for efficient administration, deployment and quick fail over capabilities. The reviewer will be interested in the failover checks and monitoring you put in place to ensure it functions as expected, should failover be required.
- If the production service fails, in what timeframe can the service be restored? What Recovery Point Objective (RPO) is offered? Having transaction logs available on a backup service that can restore customer data to the point of an hour or less before the incident occurred is very appealing to clients but requires a significant investment in infrastructure and staff experienced in configuring and administering it. It can make the difference of client’s customers losing an entire day or more worth of data, or their customers only losing an hour or less of data.
- What identity federation standards do you support (SAML, SPML, WS-Federation, etc.)? Large organizations typically make use of Single Sign-On (SSO) to integrate their wellness service with their Intranet or other providers. They expect the vendor to be able to support industry standards for integration. This requires infrastructure configuration changes and code implementation that may be challenging especially to integrating with the client’s SSO integration. Choosing a standards based SSO, such as SAML2, can provide an easier implementation path; especially when dealing with large organizations.
- Are industry standards such as International ISAE 3402 Certification, SSAE 16 SOC 2 Type 2, CSAE 3416 Type 2. CDSA, MULITSAFE, CSA Trusted Cloud Architectural Standard, or FedRAMP CAESARS used? There are numerous standards in the information storage industry. For example, an ISAE 3402 report is issued under International Standards for Assurance Engagements (ISAE) 3402. An auditor's report provides assurance that the service business is maintaining effective and efficient internal controls related to financial, information, or security reporting. FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Providing standardized approaches to security assessment, authorization, and continuous monitoring requires resources to implement as well as significant technology costs. You will be asked to provide information on which standards you subscribe to and how you ensure and maintained. Be prepared to provide audit reports as well.
- What Software Development Lifecycle (SDLC) standards do you use, such as Build Security in Maturity Model [BSIMM] Benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.? There are many industry standards that organizations look for in a vendor’s software development process. Clients look closely at the SDLC as it strongly determines the robustness and integrity of the service, which is proportionate to the level of quality control and security considerations used during the lifecycle. If one is not being followed or if it is not an industry standard, the lifecycle must demonstrate minimal risk. Implementing industry standards requires an investment in educating staff and having controls in place to ensure standards are followed.
- What steps do you take to ensure Personal Health Information (PHI) is valid and not corrupted during input and output of data? Describe reconciliation and edit checks. Organizations want to ensure that controls are in place to prevent the ability of manual edits (site managers etc.) to corrupt the clients data records or site configurations. A very serious concern is the prevention of cross site scripting or SQL injections. Developers must keep security and integrity methodologies in mind when coding, a system in place providing control checks and to be able to demonstrate this process.
- Describe your risk management process in all aspects of business from logistics, to HR, to code development to IT infrastructure. Risk assessments are an extremely important part of an organization’s overall information security. A Risk Management Plan should be reviewed at least annually, taking into account the likelihood and impact of identified risks by using qualitative and quantitative methods.
- Are you able to provide legally admissible forensic data with staff who are experienced in this area? In the event of a security incident, such as a breach of confidential data where legal issues arise, being able to provide proof that any evidence was not altered is critical. If there is any doubt that the data could have been altered, even inadvertently (such as when exporting log entries), this can lead to the evidence being inadmissible in a court of law. Strict operating procedures must be in place and all actions carefully recorded with respect to how the evidence was collected to ensure it is legally admissible.
- What policies, procedures and training do you have in place with staff to protect PHI? Are you willing to supply copies of your organization’s policies, procedures and risk assessments? Securing your production infrastructure, office and staff, including staff computing behavior cannot be overlooked or its importance minimized. Personal and mobile devices must be managed and considered carefully. A major cause of incidents are due to accidental data disclosures by staff.
If your corporate wellness technology provider can't answer these questions correctly, you should seek a vendor who can.
Contact a CoreHealth Security Expert
For details about HIPAA, please also refer to this HIPAA Compliance Checklist or speak with a CoreHealth Security Expert.
Note: CoreHealth is classified as a Business Associate under HIPAA. The CoreHealth platform can be configured to be 100% HIPAA compliant by providing privacy and security components that follow global and national standards (e.g. HIPAA, ISO/IEC 27001, PIPEDA, GDPR, etc.). CoreHealth works with many organizations that are HIPAA compliant and helps them meet their compliance requirements while ensuring CoreHealth itself meets its own obligations as a Business Associate.
About CoreHealth Technologies
CoreHealth Technologies Inc. is the leading corporate wellness platform trusted by more than 1000 organizations, ranging from medium-sized businesses to Fortune 500 enterprises. At CoreHealth, we believe that developing the best employee wellness programs is all about giving wellness companies the right code, design and access to the latest innovations. With the most customization, integrations and reliability of any software in its class, CoreHealth’s powerful platform lets users focus on growing great companies.