INTEGRATED CARE EXTERNAL WEB PRESENCE
IS6341 EDWARD MANTANONA, CHRISTOPHER BOYTER, DARYL BYRD, SIMON MARTINEZ
INTRODUCTION
• Integrated Care is a healthcare company that uses a website to attract clients and inform patients.
• The website includes a cloud-based patient portal with fillable forms for personal and insurance information.
• However, entering this information on the website poses risks and raises concerns about data security.
• This presents a problem regarding how to safeguard the data, whether transferred to the cloud-based EMR solution or encrypted through a secured submission email method.
Project Scope
• Integrated Care is concerned about the security and privacy of patient information on their website, which has a cloud-based patient portal and fillable forms with personal information and insurance information.
• Provide solutions for ensuring that patient information on Integrated Care’s website is safe.
• Reviewed the security features of Hostinger, which is Integrated Care’s current hosting company, and recommend ways to improve basic security, like encrypting subpages that are used.
• Reccomend a plan for running integrated-care.org that puts patient data protection first and gives Integrated Care control over data sovereignty and the implementation of security controls.
• Recommend cloud solutions that offer better security, and if necessary, suggest switching to a different hosting provider.
GATHER THE DATA • The website integrated-care.org is hosted by Hostinger.com, a web
hosting provider headquartered in Lithuania.
• However, the server site for integrated-care.org is located in the US.
• The website itself is not HIPAA compliant, which presents a risk for handling sensitive patient data.
• When dealing with patient records, the user is redirected to Elationhealth.com, a website that is HIPAA compliant.
• It is important to ensure that the handling of patient data on the website is secure and compliant with industry standards, and that the hosting provider and server location meet these requirements.
This is the likely path the member would use to log into either Hostinger or ElationHealth. The member has a separate login and user account on each. There is no sharing of data between sites. Elationhealth is HIPAA compliant and the patient’s medical and payment data is managed only on that site
Elation Health: A cloud-based EHR system for independent primary care physicians
● HIPAA Compliant: Elation Health claims to follow HIPAA regulations to protect patient information.
● Due Diligence Steps: ○ Review their website and documentation for HIPAA compliance statements. ○ Check for independent audits or certifications (e.g., HITRUST). ○ Examine privacy policies, terms of service, and related documents. ○ Contact Elation Health to request information on their HIPAA compliance
measures. ● Business Associate Agreement (BAA): Sign a legally binding BAA with Elation
Health to outline both parties’ responsibilities in handling PHI. ● Ongoing Compliance: Regularly review and update your organization’s practices
to maintain the privacy and security of patient information.
SECURITY CONTROLS
Risk management: Security controls are implemented to manage risks to an
acceptable level. Evaluating controls can help organizations identify areas
where they may be over or under-investing in security, enabling them to
make more informed risk management decisions.
IDENTIFY WEAKNESSES
● Overall, the process of identifying weaknesses in web assets based on
vulnerability scan data requires a combination of technical expertise, risk
management skills, and an understanding of the broader context in which
the web assets are used.
● Phishing attacks: Phishing attacks can trick users into disclosing sensitive
information or downloading malware onto their devices. This can
compromise web assets or lead to other types of attacks.
● The primary concern is avoiding HIPAA violations, as the current hosting company is Hostinger
which is not a HIPAA- compliant website. HIPAA compliance is a system and or culture that
healthcare organizations must implement within their business to protect the privacy, security, and
integrity of protected health information (PHI).
● Methods of HIPAA violations include office break-ins, postine PHI on the internet, discussing PHI in public, erroneously sending PHI, and cyberattacks and data breaches.
● The most common HIPAA violations are those committed internally, not data breaches or outsider hacking. They usually stem from negligence and lacity within the company in complying with privacy rules.
RECOMMENDED IMPROVEMENTS
● Software: Hosting websites and software can effectively maintain and protect sensitive patient data would be an improvement over the current use of Hostinger. Web hosting companies such as Atlantic.net, Practis.com, or Compliancy Group.com. In addition, adhering to privacy software and utilizing outsourced web hosting companies would significantly reduce PHI from data breaches and leaks.
● Policy updates: Integrated Care is a small company, and the bulk of PHI lost is due to internal threats and mistakes. Working remotely should be limited, ensuring that access to information is on a need-to-know basis and that physical security is prioritized and maintained. Physical protection of the working environment can help prevent illegal access to many patient records and help the company maintain its HIPAA compliance.
● Configuration Changes: Integrated Care network device configurations can dictate how network devices function and communicate within the network. Network administration for Integrated Care must continuously maintain updates and make all necessary configuration changes. A faulty configuration change can make the network vulnerable, granting unauthorized users access to confidential information and violating HIPAA standards.
Recommendations Continued
IMPLEMENTATION RECOMMENDATIONS
● Two alternate sources for hosting strictly medical services that are entirely HIPAA compliant are Pracis.com and Atlantic.net.
● Practis.com is a healthcare digital marketing agency that offers HIPAA-compliant web hosting for medical services.
● Atlantic.net is a cloud hosting provider offering complete cloud hosting solutions and Windows/Linux server solutions that can be hosted securely, meeting all security requirements.
● More research is required to obtain specific details and pricing information about these hosting solutions to make an informed decision.
Atlantic.net ● Offers HIPAA compliant hosting solutions for ePHI protection. ● Complete HIPAA Compliant Stack: Manages servers, networking, and storage. ● Technical Safeguards:
○ Access restrictions ○ Audit controls ○ Integrity controls ○ Transmission security
● Physical Safeguards: ○ Facility access controls ○ Workstation use and security ○ Device and media controls
● Administrative Safeguards: ○ Established policies and procedures ○ Security management process
Key Performance Indicators (KPIs) to measure security and
privacy effectiveness
● Biometric authentication adoption rate ○ Percentage of users enabling biometric authentication for accessing the patient portal ○ Demonstrates user trust and adoption of advanced security measures
● Unique and strong password usage ○ Percentage of users with strong and unique passwords for their accounts ○ Highlights user commitment to maintaining robust account security
● Two-factor authentication adoption rate ○ Percentage of users enabling two-factor authentication for their accounts ○ Indicates increased user engagement in protecting their information
● Overall user satisfaction with security and privacy measures ○ Assessment of user satisfaction through surveys or feedback methods ○ Captures user perception of Integrated Care’s commitment to data security and privacy
CONCLUSION
● Patients’ personal information must be kept safe on the Integrated Care website at all times, as handling sensitive patient data is a crucial aspect of healthcare services.
● To better safeguard patient data and guarantee data sovereignty and security controls implementation for integrated care, several steps should be taken: ○ Improved security foundations, such as encryption for dedicated sub-pages where
potential sensitive information would be entered by the patient, will be applied to better secure patient data.
○ Consider alternative cloud solutions that provide better security capabilities, such as Practis.com and Atlantic.net. Switching to a different hosting provider is recommended to ensure the highest level of data security.
○ Implementation and monitoring of suggested KPI’s ● It is critical to protect patient data and guarantee data sovereignty and security controls
implementation for integrated care, and these steps are necessary to achieve this goal.
THANK YOU!
Recent Comments