How to Manage Security Concerns in the Virtual Care Environment with an FHIR-enabled Data Activation Platform

The healthcare industry continues to seek new technologies to address the triple aim of access, cost and quality, and virtual care happens to be one of them. An array of virtual technologies has made it possible to bring better care to more people at lower costs. It is no longer necessary to travel in-person to a care facility, yet some challenges persist. The privacy and security of patient information is a major concern. Therefore, it is time to address these security concerns and keep them at bay.

Challenge: Security Concerns in the Virtual Care Environment

Creating a secure patient interaction has always been an essential factor in healthcare, and its importance is expected to grow significantly as conversations extend beyond your office. Despite the CMS waiver, we decided to make our platform HIPAA compliant as a first step. We then examined every piece of infrastructure that powers our virtual care solution and made them as secure as possible to deliver an easy way for you to operate the system with all the complexities managed behind the scenes.

Our cloud-based architecture keeps all servers that store PHI in a private subnet, which is not accessible from the internet. All web requests are routed through a proxy server that lies in a public subnet behind a firewall. Only authorized connections are permitted over port 443 via SSL/TLS (Transport Layer Security). The next layer is a firewall implemented to ensure the security of the application and systems. It is configured on the principle of allowing specific and denying all. We have also implemented web application firewalls and OSSEC as our File Integrity Monitoring Tool.

For monitoring and logging purposes, we use web app firewalls and monitor VPC network flow logs using Amazon Guard Duty for detecting any security breach or data leakage.

We use QRadar as its Security Information and Event Management (SIEM) solution, which helps with real-time analysis of any security alerts through the following features:

• Continuous monitoring of any kind of security alert/incident that is otherwise not detected
• Improved efficiency of incident handling
• Streamlined compliance reporting
• Real-time analysis of security alerts
• Better reporting, log collection, analysis, and retention
• Ensured data encryption

All data at rest and in-transmission is encrypted using industry-standard algorithms and transferred only via secure channels. Innovaccer has deployed appropriate technologies and methodologies to make PHI unusable, unreadable, or indecipherable to unauthorized individuals. Innovaccer uses AES 256 as encryption technology for encrypting the data in rest and TLS 1.2 for the data in transit.

1. Resolves User Authentication Worries

Our platform supports two-factor authentication. We also provide flexibility to integrate with a customer's two-factor authentication solution, if being used currently. Innovaccer provides LDAP / Active Directory (AD) authentication as an option for identifying and managing users.

Administrators can configure Innovaccer’s platform to use their existing LDAP or Active Directory system as the system of record for centralized management of user identity, organizational units, and credentials. Users can authenticate into the platform using familiar credentials, which are checked against LDAP/AD on every login. Innovaccer uses the OAuth Authentication mechanism for user login purposes, providing industry-level security for the application.

Access controls and permissions allow role-based, granular level access to be shared with different user types on the platform, such as executive leadership, data staff, care coordinators, and providers’ office staff.

2. Meets HIPAA and FISMA Requirements

Innovaccer’s Data Activation Platform is HIPAA, HISP Privacy and Security, HISP, CEAP, and SOCII Type 2-certified. All logs related to these activities or changes are stored in the S3 bucket of AWS for 6 years minimum as required by HIPAA. Our six levels of security include:

Level 1: DNS Security

Allows us to prevent common cyber attacks such as DDoS (Distributed Denial of Service) at the CDN (Content Delivery Network) level

Level 2: Infrastructure & Network Security

• Protects traffic with its network security devices
• Provides an additional layer with its firewalls, VPCs, and private subnets

Level 3: Identity & Asset Management

• Regular audits, led by a compliance officer
• Security patches at frequent intervals

Level 4: Data Protection

Role-based restricted access, with “minimum necessary” guidelines to protect PII and PHI

Level 5: Governance

• Audit trails, data lineage, access monitoring
• Configurable administrator access

Level 6: Compliance

• HIPAA-certified
• SOCII Type 2-certified
• HISP certification in progress

Innovaccer complies with all the security policies and procedures needed to ensure compliance with HIPAA requirements and has implemented all required security controls, some of which overlap with FISMA.

Virtual Care is Here to Stay

As virtual care continues to grow in popularity and capability, healthcare systems need to keep investing in virtual care security so that both physicians and patients are able to approach this method of healthcare delivery with confidence. 

This was our last blog in a series where we discussed challenges experienced in delivering a secure virtual care experience and how a Data Activation Platform is helping drive virtual care adoption. 

We’d love to hear your thoughts, insights, questions and success stories! Enter your comments below.