Blog | Protenus

Mitigating Cybersecurity Risks From Healthcare Business Associates

Your healthcare organization can have the best cybersecurity defenses in place, but how do those of third parties with access to your patient data measure up? Learn key evaluation questions to reduce risk of data breaches from business associates.

Cybersecurity is vital when it comes to safeguarding protected health information (PHI). However, Protenus’ 2022 Breach Barometer report found that business associates were responsible for nearly 21 million patient record breaches. And in the first half of 2022, business associates were involved in 36% of reported healthcare data security incidents. So how can you trust that your business associates keep their own systems safe?

To help answer that question, we sat down with Chief Information Security Officer, Brian Reavey, at Protenus to talk about the challenges of cybersecurity and gain insight on how Protenus, as an organization that handles PHI, ensures the safety of data entrusted to us. Learn how we're reducing risk through innovation in developing our platform with security baked in to our infrastructure, determination to secure data, and commitment to our customer community. 

What are some common challenges you're seeing emerge in the cybersecurity space?

There's a big focus now on social engineering — bad actors are phishing via email, making phone calls, trying to breach an organization via an unsuspecting employee. The human element remains the hardest to secure. 

What is Protenus doing to address these challenges?

reavey-brian-600x0-c-default

Along with minimizing what employees have access to in order to keep the scope as small as possible if a breach were to occur, we have a robust security training curriculum we require all employees to complete on a routine basis. We also do a lot of awareness training and testing scenarios. For example, we’ll regularly send phishing emails to our employees and measure how many report the suspicious messages so we know where to focus our training efforts.

After walking through all of our security protocols, [our prospective customer] came to the conclusion that his organization’s data is safer with Protenus than it is in its own data center. The goal is for all customers to feel that way. — Brian Reavey, CISO, Protenus

On a day-to-day basis, what security metrics are you currently monitoring at Protenus?

We’re constantly monitoring for indicators of a security compromise. We use automated tools that look for suspicious behavior, similar to the Protenus application, where we employ machine learning to monitor every access and identify outliers.

How often does Protenus perform vulnerability scans and penetration testing?

As part of our SOC 2 audit, there are a handful of tools we use. A vulnerability scan software agent lives on all systems and scans for known vulnerabilities. The results are reviewed by our security team who ranks them on a risk matrix and plans remediation with our engineering teams.

For annual penetration testing, we use a third party organization with a crowdsourcing approach and “bug bounties” so each time, we get a brand new group of highly motivated engineers performing real-world exploits for us to discover. It’s an amazing source of feedback for our security team.

How resilient is Protenus’ cybersecurity posture to defend against attacks?

Often you’ll see security vulnerabilities through misconfiguration. We use infrastructure of code in our platform where all configuration changes need multiple levels of approvals which happen automatically. That, combined with our other security measures described earlier, builds a nimble and robust defense against cybersecurity attacks.

What do you hear from Protenus customers about our security practices? 

A significant moment for me was working with a customer who was very concerned about putting sensitive data in the cloud. After walking through all of our security protocols, he came to the conclusion that his organization’s data is safer with Protenus than it is in its own data center. The goal is for all customers to feel that way. 

If you'd like to learn more about how artificial intelligence (AI) can detect and ultimately prevent compliance violations at your organization, download our guide, The Power of AI to Detect Healthcare Compliance Violations.

For more on this topic, watch the healthsystemCIO webinar, "Managing & Mitigating Security Risks from Third-Party Vendors."

Subscribe by email