Open in app

Sign in

Write

Sign in

Building Aetion’s Information Security Program

Ralph Heres
Aetion Technology
Published in
6 min readJun 11, 2019

When I joined Aetion as Head of Information Security in August 2018, it was clear the company was already on the path of evolving from a startup to a more mature organization. It was also clear that we were on the cusp of a steep upward trajectory in our staff size, partnerships and market penetration. Aetion’s senior leadership team and board of directors made it clear to me that they were committed to having an effective information security program and were ready to invest to ensure that we would exceed the expectations of our clients and stakeholders.

As with most stories of this type, it is necessary to go back to before my beginning here. Aetion had been in operation as a startup for a few years and in the year before I started they had begun to pivot from a startup to a small business with a rapidly expanding commercial portfolio. The company had competent and responsible people who recognized the need for information security and I found that they had already done many common sense things to meet that responsibility. For example, they partnered with a cloud provider that had a HIPAA compliant HITRUST certified data center to host protected health information from our clients. More on HIPAA and HITRUST later, in this context it is important that these people realized the importance to partner with a third party focused on protecting health information of patients.

One of the things that I brought to their attention is that just thinking about protecting health information was only part of their security needs. Aetion is made up of exceptionally smart innovative people who invent things. Therefore, in addition to having responsibility to our clients to protect their data, we had a responsibility to our investors and ourselves to protect our intellectual property.

As is always the case with growing startups, challenges that had been addressed by smart earnest individuals using their logic and common sense to do the right thing, sometimes requiring heroic action, reached an inflection point that no longer could scale at a pace commensurate with growth. It was clear that the time had come for Aetion to move beyond the smart heroic actions of individual smart people to a more mature regime driven by policies with sustainable and repeatable processes and practices. Policy, process and the ability to implement are the core tenets of an information security program.

But before defining policies and creating execution plans to effectively implement security, I asked myself what goes into building an information security program? I quickly landed on a need to understand the regulations that apply to our organization, the products and services we are selling (and planned to sell in the future), where and how we are developing our products and services, and how we engage with clients and partners. Aetion operates in the Health Care Technology sector and and our mission is to power critical decisions in healthcare with data science-driven technology. Our clients usually provide us with real world data sets, sourced from 3rd party providers, which contain information such as the health status of individuals, the provisioning of healthcare to patients, and payments made for health care. It was easy to recognize that in this domain information security is a significant business risk that must be managed systematically with an emphasis on threat identification and continuous improvement. And as a growing & evolving organization, we needed to design and plan our information security program for where the company was heading, not just where it was at the moment.

The process I followed should be familiar to any security professional. After having acquired a good understanding of the business and where it was heading, we had to identify the assets worth protecting, determine the security controls required to protect these assets, establish a compliance program to ensure the security controls are effective, and a risk management program to identify new risks to our business.

At Aetion we view our assets as our analytics platform, which has been branded as the Aetion Evidence Platform ™, our intellectual property, brand, facilities, employees and our clients’ data. Our clients data contain health information from patients in the United States and Europe. While protection of our company assets is important, it was clear that protection of data containing health information is our paramount responsibility.

Aetion has always known that the data we receive from our clients require us to comply with the Health Insurance Portability and Accountability Act (HIPAA). The company also had come to understand that in order to meet the its goals for international growth, we would have to comply with the relatively new and arguably ambiguous requirements of the EU’s General Data Protection Regulation (GDPR).

As with most things in technology and business in general, we did not need to invent our own security framework to enable us to meet the requirements for HIPAA. And to the extent that anyone knew in full detail the implications of GDPR, there were or would be frameworks for dealing with that as well. Security frameworks are vital for future success, and the decision about which to adopt is not solely an IT issue; information security involves business operations and personal vigilance beyond IT.. So, our evaluation and design process involved close engagement with senior management across all parts of the business.0-

After careful consideration , we decided to implement the Health Information Trust Alliance Common Security Framework (HITRUST CSF). HITRUST CSF is a comprehensive framework designed to address multiple Federal and State regulations and security frameworks such as HIPAA, California Consumer Privacy Act, ISO and NIST. HITRUST is an exhaustive framework organized into 14 control categories that are represented by a superset of over 1600 requirement statements. HITRUST scales the assessment according to organization type, size and complexity structured over 19 domains. We invested 500 hours going through the requirements to get through our initial assessment.

Our goal in implementing HITRUST is to achieve certification through a formal audit process conducted by an independent assessor. I decided our path to certification would be based on evaluating each security requirement and only implementing those that will reduce our exposure to protected health information disclosure. This approach will ensure that Aetion exerts the appropriate amount of effort to reduce our risk and pass the certification audit. As a business that is focused on growth this year, additional effort to achieve a higher score without a tangible benefit on lowering risk is counterproductive to business operations.

As I mentioned previously, the HITRUST CSF is flexible and scales the number of security controls according to organization type, size and complexity. For Aetion, several administrative and regulatory factors determined 345 security controls were in scope for our certification. These factors included:

  • Our company size
  • Required compliance with Global, Federal and State Regulations
  • Locations where we conduct business
  • The number of patient lives in our record sets

If you are not familiar with the CSF, some examples of what it contains might be informative. Many of the items, as you might suspect, would generally fall under the category of common sense and basic responsibility, for example:

  • Visible identification that clearly identifies each individual is required to be worn by employees, visitors, contractors and third parties
  • Anti-Virus and Anti-Spyware is installed, operating and up to date on endpoints

Others may not be so obvious if you are not familiar with Healthcare, such as:

  • The covered entity or business associate mitigates any harmful effect that is known of a use or disclosure of PHI in violation of its policies and procedures. Basically Aetion would need to demonstrate our overall response to contain, mitigate and report a disclosure of PHI internal and external to our company.

After stepping through the painfully exhaustive 500 hour assessment step and recovering with a vacation, now was the time to put together remediation plans required to close the gaps. In order to execute the remediation plans I determined that resources in Infrastructure, Information Security, Legal, Compliance and HR business process areas would have to be allocated. I mentioned this before: information security is a business risk and not an IT problem, and now more than ever this was evident. Consulting with these teams, we were able to determine the investments in people, process, tools and culture to implement the security framework and maintain it. The KEY PART was taking the investment proposal and reviewing it with senior leadership to receive approval and funding. You cannot go through significant amount of business transformation and changes in corporate culture without board level and senior management approval. Fortunately for me, we received the support from senior leadership to make HITRUST CSF certification a 2019 priority and are staffing up to implement the controls. Our next blog will cover some of our successes and challenges during the implementation.

Healthcare
Hitrust
Information Security

--

--

Ralph Heres
Aetion Technology

Written by Ralph Heres

1 Follower
Editor for

Director of Information Security at Aetion. We power critical decisions in healthcare with data science-driven technology. My team is implementing HITRUST CSF

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams