This blog post is written by Wellsource Director of Software Development John Kiser. John leads all software and development projects and teams at Wellsource, as well as IT projects. John finds that coaching and leading teams of technology professionals requires carefully cultivating passion and integrity within those teams—and that passionate, engaged teams produce truly exceptional results.
At Wellsource, our business is providing our customers a high-quality digital health risk assessment (HRA) platform that is engineered with contemporary security best practices at its foundation. Why are security concerns kept front and center in our development process? Because when participants take an HRA, they are placing trust in the infrastructure and software environment hosting to protect the sensitive data they share.
How does an HRA earn that trust? Through robust controls for security, compliance, and privacy. This isn't a nice add-on for your software solution, or something you might pay extra for, but rather a cornerstone of the underlying architecture and daily processes of your HRA vendor, and a signal of the dedication of a properly trained and professionally vetted team.
Privacy Considerations for Your HRA
Think about your own interactions with health and wellness providers for your personal care. You are confident sharing your personally identifiable information (PII) and personal health information (PHI) because you trust they are in compliance with HIPAA privacy regulations. The same is true for the individuals taking your HRA.
When choosing an HRA, part of your evaluation process should include privacy and security related questions like:
- How often does your HRA partner audit themselves to ensure their compliance is airtight?
- Are they doing enough as the threat landscape continues to evolve new hazards for data security and privacy?
- How do they transmit and store protected personal and health data?
- Are staff thoroughly and regularly trained in privacy and security best practices?
If the HIPAA "wall of shame" is any indication, the privacy practices of many organizations may well not be sufficient. In September of this year alone there were 88 reported security and privacy incidents affecting 3,879,726 users according to the U.S. Department of Health Human Services (HHS) Office for Civil Rights (OCR) breach report.
In today’s threat environment, you need assurances that the proper security investment has created the best bulwark against data theft and breach for your HRA users. You also need proof that their comprehensive security and privacy policies and actions include at least annual reviews and continuous mitigation efforts to stay ahead of the bad actors and changing technology elevating the risks we dread.
At the same time, security can't get in the way of an engaging user experience and the functionality of the HRA in collecting data your health and wellness programs need to improve health outcomes. How does your organization draw the line between function and security—what is your risk appetite?
Answering these questions requires a fully-fledged security and privacy program that considers these concerns at every step of development. This includes ubiquitous training and formal controls that ensure that data protection happens seamlessly, unobtrusively, and consistently.
At Wellsource, we have committed to 114 controls that cover, among other things, how we:
- Conduct employee security training
- Carry out background checks
- Conduct IT risk assessments
- Maintain and use a change management system, third-party intrusion, and network penetration testing
- Enforce a comprehensive IT security program consisting of vulnerability and patch management, data protection and disposal, network and server hardening, incident response, disaster recovery, and much more
We even stipulate how we shred paper documents and carry out performance reviews. In today's expansive digital health landscape, our clients can rest assured we have them covered—from antivirus to zero-day exploit mitigation!
The Bigger Picture: Earning Trust from HRA Participants with Security
While it's critical to dot all the i's and cross all the t's in IT security, our focus never leaves the end user—the participants taking our HRAs. They don't want to think about complicated security and privacy concerns, and they shouldn't have to.
Our audited infrastructure investments, experienced technology teams, robust quality assurance, and anticipatory client care allows us to keep participant data safe while at the same time giving participants an engaging experience.
Learn more about the privacy and security measures we take at Wellsource, or download our checklist for evaluating HRA vendors for more information on privacy and security considerations.