The healthcare sector is under constant attack from cybercriminals. They seek to infiltrate systems; expose patient data, medical records and personally identifiable information; and extort millions of dollars in ransom. The Verizon Data Breach Investigations Report went so far as to declare the industry “under siege” due to the extent of its vulnerability problem.
“Healthcare is beset by ransomware gangs and this led to an increase in confirmed data breaches in 2022,” said Suzanne Widup, a researcher for the Verizon Data Breach Investigation Report. “Healthcare is seen as a soft target where there are a lot of internal errors that lead to vulnerabilities,” Widup added.
The report noted an increase in confirmed data breaches due to ransomware encryption in healthcare over the past couple of years. These attacks are resulting in more data being compromised, bigger ransoms being demanded and longer outages being suffered by healthcare providers.
Healthcare SaaS-based digital payer platform HealthEdge lives in this challenging environment. As well as having to deal with hackers, it must adhere to strict laws and regulations such as HIPAA and numerous data privacy rules. Security and compliance are high priorities.
Featured partners
See also: A security element often overlooked by executives
The company hosts its software in various colocation sites with the number of sites rising due to rapid expansion. In order to act as responsible stewards of the information entrusted to them by their clientele, HealthEdge uses a number of strategies.
HealthEdge’s security strategies
All-flash arrays
The company made a strategic move to transition from hard disk drive systems to much faster and more compact flash storage from Pure Storage. These units include various security features, including snapshotting, immutability and intelligent file indexing that delivers accurate version tracking and recoverability of files.
Previously, HealthEdge had implemented a hyper-converged storage platform. These large cabinets contained storage, compute and networking components. The cabinets were pre-engineered to integrate closely and deliver high performance. They performed well in their day but no longer met the organization’s needs, the company said.
Due to a massive increase in storage capacity demands, the cost of adding these large appliances became prohibitive. It wasn’t possible to just add storage. Users had to purchase the entire box with a predefined amount of storage, compute power and networking capability.
“We were seeing storage capacity growth of 30% or more per year, and these units became expensive to scale,” said Kendra Rozett McCormick, senior manager of datacenter and network operations at HealthEdge. “Maintenance of these boxes was difficult as we were dealing with consistent disk failures and high costs,” McCormick said.
As well as switching to all-flash arrays, the company subscribes to its Evergreen program. This provides continual upgrades to the latest direct flash modules, controllers and software without having to engage in disruption by switching out storage arrays.
See also: How data governance affects data security and privacy
Secure point to circuit
Another security strategy employed at HealthEdge is secure point to circuit. Data transfers are challenging due to the sheer volume of information and the possibility of data loss or a data breach during the transfer. Thus, HealthEdge said it decided to upgrade from traditional VPNs to a dedicated point-to-point circuit. As well as improved security, the circuit provides better performance, monitoring and troubleshooting.
Authentication
HealthEdge’s high-speed connectivity solution offers secure user authentication via OpenID Connect and/or SAML 2.0 protocols for user authentication. These enable customers to authenticate their users via a secure Identity Provider. As a result, sensitive credentials are only sent directly to the customer’s IdP.
Payer authentication is delegated to the customer’s IdP. This allows clients to apply their own password policies independently without HealthEdge involvement. Multi-factor authentication is included. Users must use two or more categories of authentication to verify their identity, such as a unique token or a biometric.
Single sign-on was set up as a one-time activity. Once implemented, the same configuration works seamlessly across all of the environments that make up a particular health plan. It encompasses production, pre-production, test and development. SSO accelerates deployments and upgrades and reduces operational costs while maintaining security.
See also: A look into Data Privacy Week, 2023
Network security
Dedicated circuits set up a Layer 3 connection point between HealthEdge and customer data centers. This connection point serves as the entry point for the dedicated circuit and facilitates the transfer of data between HealthEdge and client infrastructure. To keep it secure, a Network Address Translation IP address is required as an endpoint for routing traffic. This ensures that data is directed correctly between HealthEdge and the customer network with high performance and reliability. To further enhance resilience, an IPsec VPN tunnel is also established as a passive, redundant connection. In the event of the dedicated circuit becoming unavailable, the IPsec VPN tunnel acts as a backup, enabling continued data transfer.
Disaster recovery
Finally, disaster recovery plans are developed for each HealthEdge client. These plans are tested and updated regularly to ensure they remain effective by the HealthEdge IT security and compliance team. Simulations are done to identify gaps or weaknesses in the plans, as well as ensure the plan is consistent with changes to business operations or IT infrastructure.