The security of your information is of utmost importance to Harmony Healthcare IT, which is why significant resources are devoted to protecting it. We maintain a security-conscious culture made up of individuals who make security-minded decisions every day.
Harmony Healthcare IT has a high volume of controls to address security, HIPAA, HITRUST, system change controls, etc. while also carrying cyber-liability coverage. The organization undergoes bi-annual HITRUST recertification.
A fundamental key of establishing a really solid security portfolio is a compliance framework. So, NIST is fantastic. It’s been in the industry for a really long time. There’s other ones out there that people follow, you know, on the financial sector, it’s generally a PCI SOC certifications if we’re talking about physical data centers and things like that, and then you have what we follow, which is HITRUST, that kind of picks the best and breed from all those interweaves them together into a singular framework. We personally have attested to this for over five years now and we feel really strongly that as the industry evolves and the tools and practices evolve, that framework has been evolving with us. And so, every single year when we attest, we find additions to controls, you know, new verbiage between controls and we find that it’s not just about the policies and procedures, it dives deeper into the implementation to ensure that we’re really doing what we say we’re doing on paper. And that gives me a great deal of confidence in our security posture simply because we’re attesting to what I believe to be the strongest framework in the industry.
Harmony Healthcare IT is open and transparent with its program and policies to help you understand how products, services and data within HealthData Platform™ are managed. Everyone on the team is held to the policies.
Managing Large Enterprise Projects In terms of large project management, we follow a program management approach. So, the highest level, an IDN is an example, who’s got an application rationalization program of let’s say 30 to 50 projects or programs that they’re looking to decommission. We first assigned a Program Manager to that particular customer and work with counterparts on their side. So, typically on an annual basis, about 30 to 60 projects can be handled by a single project team, we’re also able to scale. So, if additional projects need to be started again, kind of in parallel again that if there’s a higher volume or velocity to be achieved, we’re able to scale that up with agile teams. So, from a project management perspective, as well as our technical teams down the path we can scale that as needed. And usually that as well will kind of in parallel relate to additional Project Managers at customer site as well as technical resources on their end if need be.
Harmony Healthcare IT provides a safe, secure IT environment that serves its customers’ requirements, ensures stability and continuity of the business, and continually provides goods and services that promote confidence in the company. The business continuity and disaster recovery plan also provides a blueprint that enables quick recovery from disruption.
Physical security controls and secure areas are used to minimize unauthorized access to, damage to, and interference with information and information systems. Physical access to Harmony Healthcare IT servers and network devices is restricted to authorized individuals.
All infrastructure housing sensitive personal health information (PHI) is held within a Tier 3 data center with co-locations designed to meet security and access standards. Additionally, the Harmony Healthcare IT physical office is secured with industry-standard access measures.
Industry-standard authentication measures are required to access the Harmony Healthcare IT infrastructure, including but not limited to multi-factor authentication. Access is overseen by the Security and HR team and monitored/audited by both the internal security team and external security providers.
Harmony Healthcare IT provides defensive measures through a layered security architecture by utilizing firewall and network filtering technology and 24/7 endpoint and managed detection and response (EDR and MDR).
24×7 is extremely important. Unfortunately, for us, the threat actors don’t just work 8 to 5 where most of your technology folks are going to be on the clock. Generally, it’s after hours that a lot of these things are going to happen. And so having that staff 24×7 at three o’clock in the morning, they see the actions and they immediately jump in, take action being notified of it the following morning. Unfortunately, in a lot of cases is too late. We need to be able to jump in there and stop that threat actor immediately while everyone else is still asleep to make sure that we limit the impact that we’re able to stop those actions and prevent anything nefarious from happening with ourselves and our customer data. So, there’s a lot of tools a lot of people use SIM. SIM is a really great tool, having run those myself. I tend to move into the next generation, a traditional end point and, and something that’s collecting your data on the back end. Unfortunately, today isn’t enough. It’s more about actionable intelligence and that’s what you get from some of these 24×7 MBR, EDR services that are available in the marketplace today. It’s not just monitoring and reporting to you what happened, it’s analyzing all of what’s a normal user behavior. And if it sees actions occurring within that user ID, it can immediately flag and find things before they’re doing those, you know, nefarious acts of the things that generally bubble to the surface of wow, you know, somebody shouldn’t be deleting a bunch of information or information shouldn’t be leaving the environment. It’s more this person shouldn’t be logging in at this time or they shouldn’t be in this location if they were in that location an hour ago and being able to draw those, you know, patterns and behavior together to form a complete picture of, you know, is this a normal action within your environment and then doing that on Saturday and Sunday when we’re all enjoying other things is really what you need to do to tie these things together.
Harmony Healthcare IT performs vulnerability scanning and risk assessments consistently, both internally and externally. The security team provides ongoing third-party vendor management. In addition, annual penetration tests and HIPAA Risk Assessment take place through qualified third parties.
All employees participate in extensive training on security and privacy. Security awareness training takes place quarterly and HIPAA security/privacy training annually. Role-based training is also employed.
Our trust center provides real-time access to vital information about our privacy, security and compliance management.
Within the trust center we share our certifications, as well as materials for compliance teams to confirm we’re meeting privacy and security standards.
Harmony Healthcare IT prioritizes security in its investments and daily operations.
Learn critical steps that any healthcare delivery organization should take to establish or strengthen its privacy and security processes.
Be certain you’re investing in a partner that will protect you and your data with these 10 simple questions.
Listen in as we discuss security best practices for hospitals and clinics, how Harmony ensures clients’ data is secure, and security vendor suggestions.
Anonymously and securely report an incident or vulnerability to Harmony Healthcare IT.