How Twine Health Ensures Complete PHI Security and Privacy: Going Beyond HIPAA Checkboxes

Twine Health is a SaaS-based healthcare platform that connects patients and providers to enable collaborative care. We do business with entities as small as solo practitioners up to some of the largest healthcare organizations, which means we need to meet a wide range of security and compliance requirements in order to serve our customers.

Our belief is that caring for health needs shouldn’t just happen during visits: it needs to happen between visits as well. We believe in the same approach when it comes to security and compliance. While many processes and technologies may need to be put in place or fine-tuned during an event like a compliance audit, those practices should be upheld long after the audit to ensure complete protection and privacy of data. In this post, I’ll detail how we do that.

Why Compliance Isn’t Enough to Guarantee Security

If you work in healthcare as a business associate like we do, you know that, in order to do business, you have to meet compliance regulations. In healthcare, that means HIPAA. But while HIPAA helps companies put in place a lot of the fundamental security and compliance strategies, processes, and tools they need, it doesn’t cover everything that companies should be doing. Compliance regulations such as HIPAA are often 10 to 15 years behind the times, which means the things they require don’t necessarily reflect the security concerns that companies and their customers are facing today.

On the same note, we don’t think it makes a lot of sense to show customers and prospects just what we did to meet HIPAA requirements — things like having security policies, using encryption, and having access controls for various critical systems. To us, that’s really just the starting point for what security should be.

The big companies we talk to share the same opinion. They are extremely diligent — as they should be — about verifying the security features we have in place and checking to see how we manage the security and privacy of patient data. And a lot of what they look for goes far beyond what HIPAA requires — to include vulnerability monitoring, file integrity monitoring, and so on.

When we first realized how security-conscious these large companies were, we made a commitment to going beyond HIPAA to meet actual customer requirements, as well as to codify and uphold the standards we believe we should have in place as a company.

Implementing Scalable Security and Compliance

At first, we were able to meet the requirements that prospects and customers were looking for by manually implementing different features or processes, but as our business began to scale, this manual effort did not. We needed to go beyond manually reviewing production logs to automate the monitoring of our entire infrastructure so we could receive real-time alerts when anomalous activities occur. We knew this probably meant an intrusion detection system (IDS), but we really needed a solution that offered a more complete feature set and could scale with us as we grow.

That’s when we came across Threat Stack. Threat Stack offered the complete picture — everything from workload and infrastructure monitoring to vulnerability management as well as threat intelligence and compliance reporting. Vulnerability management, for example, is something HIPAA doesn’t call for, but to us, it’s a commonsense way to ensure the security of our infrastructure in the cloud.

With the features that Threat Stack provides, our conversations with even the biggest healthcare organizations have become much easier. We’ve gone from long, grueling conversations detailing our security practices to a much faster process of explaining the system we have in place (e.g., threat intelligence) via Threat Stack, signing a contract, and starting to do business.

Keeping Pace With Today’s Healthcare Security Needs

While HIPAA provided the baseline compliance we needed to do business in the healthcare sector, our growth has been fueled by the “above and beyond” security steps we have taken. Our entire team is dedicated to keeping on top of the latest trends and best practices, following what companies like Threat Stack are saying and doing. To us, that’s often a good indicator of what the next generation of security defenses are.

For example, when we first signed up for Threat Stack, we didn’t know if we needed vulnerability management. When Threat Stack added it to their capabilities, we quickly realized the benefits of having this feature in place when we were able to identify our current vulnerabilities and address them proactively.

Beyond Compliance is Better Security

At the end of the day, implementing the right level of security for your organization means:

  • Meeting compliance requirements (HIPAA)
  • Upholding customer requirements (policies, processes, tools)
  • Using apps and features that fit these requirements

Going beyond compliance checkboxes is an approach we believe in and hope to see more companies adopt. In our experience at Twine Health, it’s the best way to ensure complete security and privacy of sensitive data.