More Than Data: Protecting Healthcare Information

We’ve all experienced that sinking feeling when we discover our credit card has been caught up in a data breach.

These days, it’s not the potential for fraudulent charges that is our biggest concern following such a discovery. Massive data breaches targeting credit card data have become so commonplace, it’s not unheard of for people to receive a replacement card multiple times in a year.

The biggest frustration is that our lives are setup to run on auto-pay, and with that replacement card comes a day of trying to remember exactly who we pay using the card and when! I don’t know about you, but spending time trying to remember if I pay the water company with my card or directly from my bank account is not exactly my idea of a fun or productive time.

With credit card compromise, however frustrating it is, we have options. Within moments of a card being compromised it can be shut down and a replacement issued.

When it comes to personal health information (PHI), there is no such option.

If a healthcare record is compromised, a replacement medical history cannot be shipped to you in the mail.  Personal health information is more than data, and this is something that we never lose sight of at Accolade.

Over the last couple of years, electronically stored healthcare records have become prime targets for cybercriminals with varying motivations. Several high-profile breaches resulting in the potential compromise of millions of electronic healthcare records, have done little to inspire confidence in the security of electronic healthcare records.

We all know that technology has, and will continue to, greatly improve the healthcare experience for everyone, and we cannot afford to allow security and privacy concerns to stifle innovation. This is why we tackle security and privacy head on. This is why I personally chose to work at Accolade. To us, protecting PHI is about more than data security.

At Accolade, we treat security as a continuous process. We never stop looking for ways to improve.

To give an example of this mindset in action, earlier this year, we launched a number of initiatives to help bake security into our software development practices. We use the word “bake” deliberately in this context because it allows us to use one of our favorite security analogies, the blueberry muffin.

Think of the muffin as the application, and the blueberries as the security features.

Quite commonly, organizations attempt to add security to applications as an afterthought. In the context of our muffin, this would be like smearing the blueberries onto the top of the muffin.

Things would get messy quickly, and once you bit through that layer of blueberries, there would be no more. Remember, the blueberries are the security features and we strive for more than a single layer!

At Accolade, to make sure we’re firmly baking the blueberries into the muffin:

  • Each application development team has a designated member who serves as an extended representative of the main Accolade security team.
  • Development teams are encouraged to consider a variety of security scenarios through special security stories in their development backlogs. These stories encourage them to consider malicious perspectives and motivations they might not have considered previously (you know, because our developers are nice people!).
  • We launched our Accolade PHI manifesto, which is a set of promises we make in regard to applications we build that handle PHI.

These examples come from just one area of our overall security program.

I’d like to leave you with the opening paragraph of our PHI manifesto, which I think sums up our approach to PHI and the seriousness with which we treat the privilege of being able to serve our clients.

“We should not treat our data as data, because it’s more than that. Treat every single row of a database as if it were a human life, because that’s exactly what it represents. We treat PHI as we’d want our PHI treated.”

For more information, watch the webinar: Protecting Healthcare Data: Failure is Not an Option.

Accolade Chief Information Security Office Mike McGee and Director of Information Security Mike Sheward discuss the state of healthcare information security.