Orion Health’s Security By Design

Marnie Wilking develops rock-solid practices and protocols to protect the sensitive medical data of Orion Health’s customers

Industries evolve and mature in waves that are often driven by the threats they face. Soon after establishing an online presence, financial services companies were hit with security breaches and accompanying lawsuits, so the industry quickly learned how to protect clients’ money as well as their personal information.

Healthcare has begun to learn those same lessons only relatively recently. In fact, the industry now realizes that its information is even more valuable on the black market than financial records. Bank accounts and credit cards can be reimbursed and cancelled, but personal medical information lasts a lifetime.

Marnie Wilking, Orion Health Photo by Jodi Lynn

When Marnie Wilking assumed her role as global chief information security officer at Orion Health, she was coming from a twenty-year career in IT security in financial services. Her main responsibility was to establish a mature security program as quickly as possible for the company’s healthcare information technology solutions. This included setting up a security operations center (SOC), implementing automated delivery of Orion Health’s suite of SaaS applications, and qualifying for HITRUST certification.

“We needed automated, reliable delivery of security controls for every deployment,” Wilking says. “It protects our customers and goes a long way toward complying with the most stringent requirements.”

She developed key internal partnerships with the delivery engineering and operations teams. This enabled them to align their priorities, challenges, and solutions. She also identified outside vendors: Anitian for the SOC, and Trend Micro Deep Security for a reliable, lightweight tool to perform multiple security functions. The teams moved forward with what Wilking calls security by design—an approach that became their North Star—and embedded security tools in the automated delivery of every solution. As a result, Orion Health achieved HITRUST certification for its Amadeus product in a little more than half the anticipated time.

One of the reasons Wilking and her team were able to make so much progress is that she made it clear from the beginning that she intended to be a facilitative business partner. Security is often seen as an obstacle to others within the business, but her goal was to enable the business to run better and as fast as her colleagues want it to go.

“I’m here to be an enabler, not to create unnecessary barriers,” Wilking says. “Removing myself from that process and empowering teams to make decisions demonstrated that I meant what I said.”

Once all the components of delivery automation and security were in place, she presented the results to Orion Health’s executive team, where she explained how online public-facing applications are typically attacked repeatedly on a daily basis. The goal is to create a “funnel-shaped” process that limits the number of successful attacks. That is what Wilking’s system was doing: out of one thousand attacks per week, only two per week required active responses, and just one per month needed to be escalated to the security team.

“Many of the executives were initially shocked by the number of attacks,” Wilking reports. “But with a team and architecture in place to detect and respond in real time, they realized that the cost of their investment was well worth it.”

She also spends time educating customers on common misconceptions about the cloud. They range from believing it isn’t safe at all to assuming everything stored there is automatically secure. “Education is a big part of my responsibilities,” she says. “I discuss Amazon Web Services’ shared responsibility model, its infrastructure, capabilities, and how our team and products manage all of them. It helps them make more informed decisions.”

Wilking’s team is working with product development teams to automate application security testing. She succeeded in shifting the focus on security earlier in the development process by enabling developers to embed security into code development. They are also being trained to identify and address security bugs and vulnerabilities at those early stages.

“We are working with code developers to point out threats, how to avoid them, and give them tools to avoid having to go back to fix them later,” Wilking explains. “This reduces costs, saves time that can be devoted to new features, and improves overall code quality.”

In addition to security, Wilking oversees privacy, quality and compliance, and patient safety. The structure has led to a consolidated approach to all information assurance issues that provides comprehensive and timely information and direction to Orion Health’s product development team.

“We’re executing a broader assurance by design approach,” she says. “We’re not where we want to be yet, but like everything, it’s always evolving.”