Category:
Security

Keep Your Data Safe: Our Head of Infrastructure and Operations Shares His Top 3 Tips

Keep Your Data Safe: Our Head of Infrastructure and Operations Shares His Top 3 Tips

07/02/2018

by Jesse Braasch

 

It’s rare for a week to go by without news breaking of a data breach at a top company. As such, I continually receive questions about what our Partners can do to reduce their risk of such a breach within their own business. In a previous post, we outlined the biggest threats to data security and privacy in healthcare; today, I want to share what you can do to protect the personal healthcare information (PHI) entrusted to you by your customers or employees from breach or fraud. Here are my top tips:

 

Just get started.

What should you do to keep bad actors away from your systems? My No. 1 data-protection tip for any Partner using our WEX Health Cloud platform, or even pertaining to your own data in your own business, is to get started. Consider how you’re leveraging the existing tools and services already available to you, and you don’t have to rely entirely on your IT team to do so. For instance, our WEX Health Cloud platform has numerous security and fraud prevention features built in that Partners can choose to leverage. These security features aren’t mandated; our Partners need to choose for themselves which they’re going to enable for their use of the system. It comes down to how you train your staff to leverage the tools and services available to them to reduce your risk.

 

Give data security the attention it deserves.

When evaluating SaaS solutions, many companies are most focused on availability or the performance or scale of a solution. That’s important stuff, but not as important as trust. When you bring your business and all your data to a SaaS solution and begin to look at that solution as a service provider, you must trust that the provider can provide security and infrastructure that’s not only as good as what you have now, but much better. Look for any SaaS company you partner with to take that partnership with you very seriously to ensure their services become a seamless extension of the services you provide.

 

Don’t react. Hunt.

In the world of security and fraud prevention, a lot of the technology has been structured around preventing financial and data loss. However, in data security, there’s recently been an important shift in focus away from preventing or reacting to breaches toward actively “hunting” for them. By restructuring your security processes so that you’re concentrated on hunting out a breach and limiting its negative impact rather than preventing it, you’ll ultimately do more to protect yourself and your customers. That’s because it’s not a matter of if a data breach will happen but when and you need to take proactive steps before it does to minimize its overall negative impact. While this sounds scary, this concept is exactly why we all have smoke detectors, sprinkler systems, evacuation procedures, posted exits and fire drills. Those are all proactive measures taken before a fire happens to reduce the damage when it does. To limit the negative outcomes, do your best to prevent, but detect and react fast.

 

For more on the best approach to data security, we invite you to watch our video about data security in the healthcare space:

 


Jesse Braasch

Vice President of Infrastructure and Operations at WEX Health

Jesse Braasch is the Vice President of Infrastructure and Operations at WEX Health, the largest Software as a Service (SaaS) company in the healthcare payment market today. His favorite saying is, “The most dangerous phrase in the English language is, ‘We’ve always done it this way!’” In the ever-changing, always dynamic world of consumer directed healthcare, Jesse’s dedication to innovation and excellence will continue to keep WEX Health at the forefront of the current healthcare revolution.

As the consumer driven healthcare industry grows exponentially, Jesse will help ensure WEX Health’s technical ecosystem has best-in-breed features, stability, security, and quality of service so the company is able to scale in parallel with the industry. Jesse’s passion is delivering creative yet rock solid technologies that truly solve the needs of the customer and enable speed to market.

Regarded as a veteran of the technology industry, Jesse has over twenty years of experience working for industry leading SaaS corporations and Fortune 500 companies. Most recently Jesse was Director of Infrastructure for XRS Corporation, a SaaS company providing trucking fleet management solutions, where he led server, storage, database, and IT operations teams. Prior to working at XRS, Jesse held technical and team leadership positions at Target Corporation, Fair Isaac Corporation, and Travelers Indemnity Company.

After serving in the United States Marine Corps, Jesse earned his Bachelor’s Degree in Information Technology from Capella University, and is currently pursuing his Masters of Science degree in Security. Jesse, his wife, and two teenage sons live in Maple Grove, MN, where he is an active volunteer in the community’s youth ice hockey association.

What You Need to Know About Data Security and Wearable Devices in the Workplace

What You Need to Know About Data Security and Wearable Devices in the Workplace

02/02/2018

 

Now that wearables and smart technology devices are frequently used to incentivize and measure participation in workplace wellness programs, activity trackers have emerged as an important—and sometimes debated—link between employee and employer.

 

Concerns about personal data and activity trackers made the news (again) this week, with reports that U.S. soldiers may have inadvertently revealed the locations of remote military bases in Iraq, Afghanistan and Syria by publicly sharing their jogging routes via the Strava fitness app.

 

And during a series of meetings last year between Apple and Aetna, Aetna employees’ questions about the safety of the data on their employer-provided Apple Watches ended up dominating the discussion—and the news media’s coverage of that discussion. By way of background, Aetna partnered with Apple in 2016 to provide select large employers and individual customers with Apple Watches, as well as offering to reimburse all 50,000 of its own employees for the watches. Apple has stressed that health information is only shared with user consent, and Aetna is continuing to gather feedback from its employees about whether or not the watches have had an impact on their nutrition and exercise habits.

 

Of the Apple/Aetna meetings, CNBC reported, “One of the biggest concerns with companies like Apple and Fitbit collecting health information, like steps and heart rate, is that it could get into the wrong hands. These fears are amplified as technology companies strike deals with self-insured employers and health plans.”

 

So what are employers and health insurers doing with the data they collect from activity trackers? The large majority of those employers are doing nothing with it and are providing employees and/or their customers with wearable devices only to encourage health and wellness in hopes of increased productivity and engagement and decreased healthcare costs.

 

Though it’s now common across industries, the trend of doling out activity trackers to employees and customers was popularized by healthcare companies. Back in 2014, tech startup Oscar made headlines when it partnered with Misfit, a wearable device company, to link its customers’ biometric information straight to their health insurance, presenting Amazon gift cards to those who met their fitness goals.

 

Since 2016, UnitedHealthcare has awarded employees who meet fitness goals (as measured by their wearable devices) with monetary prizes and credits that can be applied to a health savings account or health reimbursement account. The company’s vice president of emerging products recently reported that its program, which it calls “Motion F.I.T.”, has yielded “very impressive” engagement and activity rates. And, as part of its Wellvolution program, Blue Shield of California leverages the Walkadoo app, which keeps track of activity and allows employee participants to earn awards such as Fitbits and Visa gift cards. It has since also invited some of its plan participants to engage with the app in exchange for awards. OptimaHealth, Cigna, Humana and other insurers additionally offer their members discounts and rewards tied to activity trackers.

 

Even as activity trackers have provided impetus for some corporate employees to prioritize their health, the practice of incentivizing with them has, in some ways, heightened the tension between personalized medicine and private information. Workplace wellness programs that are offered by group health plans to group health plan participants only are covered by Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, while wellness programs offered to all employees, however, are likely not covered by HIPAA.

 

Just last week we reported on a new ruling from a federal district court in Washington, D.C., in which the U.S. Equal Employment Opportunity Commission (EEOC) has been ordered to alter its rules on employer-sponsored wellness programs that financially penalize employees who refuse to provide personal medical and genetic information. As wearable healthcare technology grows more sophisticated, we suspect that the number of questions it raises will continue to grow, as will the opportunities it creates.

 

For more on the role of smartphones and apps in personal health management, read our blog about trends in remote health monitoring.

The 3 Biggest Threats to Data Security and Privacy in Healthcare Today

The 3 Biggest Threats to Data Security and Privacy in Healthcare Today

11/08/2017

by Jesse Braasch & Jason Langston

 

According to a new report on healthcare data breaches in 2017, the three greatest threats to data security and privacy this year have been human error, hacking/malware and insiders. To prevent breaches, all industry players need to ask themselves if they are vulnerable to these threats and ensure that their software systems are updated.

 

  1. Unintended Disclosure: 41 percent (the large majority) of breaches are the result of unintended disclosure, a.k.a. user mistake or human error. These incidents can come in the form of emails inadvertently sent to the wrong recipient or emails that contain protected health information (PHI). Discharge instructions may be given to the wrong patient, or a server containing PHI can be accidentally left open to the public. Workforce training and education can go a long way to diminish incidents of unintended disclosure.

 

  1. Hacking or Malware: Hackers have continued to disproportionately target healthcare organizations in 2017, organizing significant and sophisticated attacks that account for 15 percent of breaches so far this year. Phishing attacks on hospitals, insurance providers, medical equipment suppliers and others have resulted in the leaking of tens of millions of patient names, social security numbers, medical records, diagnoses, treatment information and other clinical data.

 

  1. Insiders: Disproving the old-fashioned theory that the best way to protect data is to keep it close to home are continuing reports of employee snooping or physical theft of on-site devices and data, which account for 15 percent of breaches (physical loss can be blamed for another 8 percent). Typically this can involve an employee viewing records without a work-related reason. Of note, the number of breaches attributed to employees are on the rise, but they are generally easier to mitigate than external threats.

 

Though the healthcare industry was slower to adopt cloud computing than other industries, but most healthcare providers and employers now overwhelming believe that patient and employee benefits data is safer being managed by a software-as-a-service (SaaS) company than it is with on-premise software. SaaS platforms are also more likely to have data engineers and software experts dedicated to continuously monitoring and guarding accounts for the above threats.

 

How can a company know if a SaaS provider can be trusted to provide secure custody of data? Verify that they understand the regulatory requirements and are strictly compliant with HIPAA, SSAE 16 and PCI.

 

 


Jesse Braasch

Vice President of Infrastructure and Operations at WEX Health

Jesse Braasch is the Vice President of Infrastructure and Operations at WEX Health, the largest Software as a Service (SaaS) company in the healthcare payment market today. His favorite saying is, “The most dangerous phrase in the English language is, ‘We’ve always done it this way!’” In the ever-changing, always dynamic world of consumer directed healthcare, Jesse’s dedication to innovation and excellence will continue to keep WEX Health at the forefront of the current healthcare revolution.

As the consumer driven healthcare industry grows exponentially, Jesse will help ensure WEX Health’s technical ecosystem has best-in-breed features, stability, security, and quality of service so the company is able to scale in parallel with the industry. Jesse’s passion is delivering creative yet rock solid technologies that truly solve the needs of the customer and enable speed to market.

Regarded as a veteran of the technology industry, Jesse has over twenty years of experience working for industry leading SaaS corporations and Fortune 500 companies. Most recently Jesse was Director of Infrastructure for XRS Corporation, a SaaS company providing trucking fleet management solutions, where he led server, storage, database, and IT operations teams. Prior to working at XRS, Jesse held technical and team leadership positions at Target Corporation, Fair Isaac Corporation, and Travelers Indemnity Company.

After serving in the United States Marine Corps, Jesse earned his Bachelor’s Degree in Information Technology from Capella University, and is currently pursuing his Masters of Science degree in Security. Jesse, his wife, and two teenage sons live in Maple Grove, MN, where he is an active volunteer in the community’s youth ice hockey association.


Jason Langston

Vice President of Infrastructure and Operations at WEX Health

Jason Langston leads the Enterprise Architecture and Application Security team at WEX Health. This team works closely with the IT Security, Compliance and Fraud teams to ensure the robust security and scalability of WEX Health Cloud. They run the software security assurance program, performing various tests, scans, attack models and reviews to identify, fix and prevent security issues. Jason has worked at WEX Health for 13 years and in the tech industry for almost 20 years in various technical and leadership roles, with a strong focus on architecture and security.