Security

Dedicated to protecting your data at every step.

The security of your information is of utmost importance to Harmony Healthcare IT, which is why significant resources are devoted to protecting it. We maintain a security-conscious culture made up of individuals who make security-minded decisions every day.

HITRUST CSF® Certification

Harmony Healthcare IT maintains rigorous security measures, including HITRUST CSF® certification and cyber-liability coverage. We undergo bi-annual HITRUST recertification to ensure compliance with industry standards.

Vidyard lightbox thumbnail

A fundamental key of establishing a really solid security portfolio is a compliance framework. So, NIST is fantastic. It’s been in the industry for a really long time. There’s other ones out there that people follow, you know, on the financial sector, it’s generally a PCI SOC certifications if we’re talking about physical data centers and things like that, and then you have what we follow, which is HITRUST, that kind of picks the best and breed from all those interweaves them together into a singular framework. We personally have attested to this for over five years now and we feel really strongly that as the industry evolves and the tools and practices evolve, that framework has been evolving with us. And so, every single year when we attest, we find additions to controls, you know, new verbiage between controls and we find that it’s not just about the policies and procedures, it dives deeper into the implementation to ensure that we’re really doing what we say we’re doing on paper. And that gives me a great deal of confidence in our security posture simply because we’re attesting to what I believe to be the strongest framework in the industry.

Business Continuity and Disaster Recovery

We provide a secure, reliable IT environment designed for stability and business continuity. Our disaster response plan ensures rapid response and recovery in the event of disruptions.

Identification and Authentication

Access to our infrastructure requires industry-standard authentication, including multi-factor authentication. Security oversight is managed by our Privacy, Security and HR teams, with continuous monitoring by internal and external security experts.

Transparency

Our security policies transparently outline how we manage and protect data within HealthData Platform. Every team member is accountable for upholding these standards. Our trust center provides real-time access to our certifications and materials for security and compliance management.

Vidyard lightbox thumbnail

Managing Large Enterprise Projects In terms of large project management, we follow a program management approach. So, the highest level, an IDN is an example, who’s got an application rationalization program of let’s say 30 to 50 projects or programs that they’re looking to decommission. We first assigned a Program Manager to that particular customer and work with counterparts on their side. So, typically on an annual basis, about 30 to 60 projects can be handled by a single project team, we’re also able to scale. So, if additional projects need to be started again, kind of in parallel again that if there’s a higher volume or velocity to be achieved, we’re able to scale that up with agile teams. So, from a project management perspective, as well as our technical teams down the path we can scale that as needed. And usually that as well will kind of in parallel relate to additional Project Managers at customer site as well as technical resources on their end if need be.

Physical Security of Facilities

We implement strict physical security controls to prevent unauthorized access to information systems. Sensitive personal health information (PHI) is housed in Tier 3 data centers with co-locations, meeting rigorous security and access requirements. Our offices also follow industry-standard access protocols.

Risk Management

We proactively identify and mitigate risks through ongoing vulnerability assessments, third-party vendor management, and annual penetration testing. HIPAA risk assessments are conducted by certified third parties.

Network Security

Our layered security architecture includes advanced firewalls, network filtering technology, and 24/7 managed detection and response (EDR and MDR) to safeguard your data.

Vidyard lightbox thumbnail

24×7 is extremely important. Unfortunately, for us, the threat actors don’t just work 8 to 5 where most of your technology folks are going to be on the clock. Generally, it’s after hours that a lot of these things are going to happen. And so having that staff 24×7 at three o’clock in the morning, they see the actions and they immediately jump in, take action being notified of it the following morning. Unfortunately, in a lot of cases is too late. We need to be able to jump in there and stop that threat actor immediately while everyone else is still asleep to make sure that we limit the impact that we’re able to stop those actions and prevent anything nefarious from happening with ourselves and our customer data. So, there’s a lot of tools a lot of people use SIM. SIM is a really great tool, having run those myself. I tend to move into the next generation, a traditional end point and, and something that’s collecting your data on the back end. Unfortunately, today isn’t enough. It’s more about actionable intelligence and that’s what you get from some of these 24×7 MBR, EDR services that are available in the marketplace today. It’s not just monitoring and reporting to you what happened, it’s analyzing all of what’s a normal user behavior. And if it sees actions occurring within that user ID, it can immediately flag and find things before they’re doing those, you know, nefarious acts of the things that generally bubble to the surface of wow, you know, somebody shouldn’t be deleting a bunch of information or information shouldn’t be leaving the environment. It’s more this person shouldn’t be logging in at this time or they shouldn’t be in this location if they were in that location an hour ago and being able to draw those, you know, patterns and behavior together to form a complete picture of, you know, is this a normal action within your environment and then doing that on Saturday and Sunday when we’re all enjoying other things is really what you need to do to tie these things together.

Security Awareness Training

Our team undergoes continuous training on security and privacy. Quarterly security awareness sessions and annual HIPAA compliance training ensure we stay ahead of evolving threats. In addition, Role-Based Training is provided for specialized roles such as privileged users and developers. Monthly Phishing Tests are conducted and results are used to generate individual risk scores.