As a leading provider of population health management technology and services, Medecision maintains and manages data for roughly fifty million lives. Protecting the confidentiality, integrity, and availability of those healthcare records falls to Brenton McKinney, the organization’s vice president of security.
McKinney joined the company to help take Medecision’s security to the next level by pursuing a HITRUST certification.
“The HITRUST certification is comprehensive and specific to the healthcare industry. Depending on the scope, it can range from several hundred to a thousand security controls that have to be met,” McKinney says. “That meant we had to do more than write policies and procedures. We needed to properly implement processes and technologies, measure their effectiveness against the standards, and then make continuous improvements.”
One of the first steps toward those objectives was undertaking a risk-based assessment of the current security state. Understanding the business model, customers’ security requirements, and interpreting HITRUST compliance requirements was imperative to qualifying and quantifying the risk. For example, Medecision needed to recognize that while it has its own third-party vendors, it also acts as a third-party vendor to its clients. McKinney then overlaid the company’s processes, technology, and personnel resources and capabilities. Finally, everything was evaluated against a variety of ever-changing threats that have a likelihood of exploiting vulnerabilities across the enterprise.
All of these efforts resulted in a practical road map that defines how security enables the business to operate in a secure manner without hindering business goals and objectives. For deployment and management, Medecision ultimately decided to develop third-party partnerships rather than create an in-house security team. Typically, service partners are capable of providing greater depth, retention of highly skilled security professionals, and economies of scale to reduce costs, McKinney says.
“Partnering with the right providers offers us flexibility and scale,” McKinney says. “They can respond more quickly to threats and can provide a much broader view of risks and best practices as a result of working with other clients across other critical infrastructure sectors.”
Medecision partnered with Rackspace, a cloud service provider that focuses on infrastructure, networks, and platforms, as well as Armor, which monitors hundreds of devices for the company. Armor also provides alerting and incident response in the event of an attack.
“Between compliance mandates, cyberattacks, and the explosive growth of electronic health records, protecting the privacy, security, and availability of sensitive data is a critical challenge that the healthcare industry can’t ignore,” says Wayne Reynolds, chief security officer at Armor.
Since both partners are also HITRUST certified, they were able to provide almost immediate improvements and recommendations. For example, Rackspace and Medecision underwent a huge software-as-a-service migration. In another example, about eighty of Medecision’s HITRUST security controls are satisfied by the Armor solution.
“We don’t just want new toys because technology can’t solve every problem,” McKinney says. “So we don’t focus exclusively on it as the only solution. We focus on the most effective solutions that serve multiple purposes and offer greater return on investment. Sometimes that may entail simply changing the process.”
In addition to working with Rackspace and Armor, McKinney led the development of streamlined and updated policies and procedures that make it easier for employees to find answers when needed. The policy manual also provides more transparency to customers and potential clients.
“There’s an inherent Catch-22 when explaining policies and procedures to customers because you must be careful not to reveal sensitive implementation details,” McKinney explains. “Now we can share a policy document that comprehensively explains what we do to protect every single part of the business, but that doesn’t risk exposing details on how we do it. Those details are in our procedures.”
“Brent’s leadership and impressive knowledge of information security has allowed the quick development of a top-notch information security program at Medecision,” says Cathlynn Nigh, CEO of BEYOND LLC. “What has really led to Brent’s success is his ability to effectively communicate across all levels of the Medecision team.”
A great deal of effort has been put into educating company developers on new security requirements, as well as into making security considerations part of their everyday work as early as possible in the development life cycle. This began with explaining why changes were being made and the benefits they would provide. McKinney saw this as addressing the “human part of security, which is often overlooked and underestimated.”
For example, if a policy was rolled out without explanation that prohibits the use of USB drives, employees would be upset about being denied the convenience they provide. However, if details on the risks are provided—such as that it only takes seconds for a drive to launch malware embedded at the hardware layer into the system—there is much greater acceptance of and compliance with the new policy, he says.
On the development side, McKinney has been successful at introducing security solutions as an integral part of the software development life cycle (SDLC).
“If we get security baked in at the beginning of the SDLC process, we can test for vulnerabilities ahead of time instead of finding them just prior to deployment, resulting in delays, or conversely, accepting a high degree of risk without remediating the vulnerabilities.” he says.
By training developers to write code using secure techniques from a project’s inception, it is estimated that thousands of hours of time are being saved, McKinney says. From a practical standpoint, introducing early vulnerability scanning has also enabled the team to address weaknesses almost immediately so that resulting fixes can be included in all future iterations.
As he continues to find ways to strengthen protection of Medecision’s data and infrastructure, McKinney and a team of colleagues have been working on a business impact analysis across the enterprise. This systematic review determines the most critical factors for each department, why they are important, and how to adequately protect them. The resulting information will help guide the company in allocating funds, and it will also help prioritize data and prescribe actions in its disaster recovery processes.
Another major project is an identity and access management solution that can be customized to serve the specific needs of each department. It is anticipated that it will be integrated at the API or application layer of each of the company’s more than twenty applications. It will also have the ability to accommodate single sign-on as well as mobile application authentication.
McKinney is also looking into advanced encryption methods that could potentially reduce the footprint of the personal health information the company manages. In turn, this would reduce the amount of sensitive data that needed protection in the first place.
“We want solutions that will increase overall security but not put additional burdens on users,” McKinney says. “This requires a complete understanding of our business ecosystem.”
Avoiding the Whack-A-Mole Strategy
Brenton McKinney is careful not to fall into the trap that traditional cybersecurity methods create—constantly trying to catch up with threat actors’ most current schemes. He refers to it as avoiding the whack-a-mole strategy. “Many companies respond to an attack, make adjustments, then respond to another that uses a different approach, then another, and another, and so on,” he says. “It’s a strategy that doesn’t work and is very expensive to sustain.”
Instead, McKinney has condensed the five-stage framework of the National Institute of Standards and Technology (NIST) to a three-stage process of prepare, respond, and recover. These three areas represent the actions or activities that happen before (prepare), during (respond), and after (recover) a compromise. This enables Medecision to focus on what he says is ultimately an organization’s most important action: recover.
“Despite the best proactive efforts, incidents can still happen,” McKinney explains. “In addition to extensive prevention, it’s equally important to ensure you’re prepared to get the business back up and running as quickly as possible.”
Photos by Cass Davis