Protecting Patient Information in the Cloud

By Rich Sadowski

Companies across the healthcare industry have started collaborating with virtual contact centers in an attempt to operate more efficiently while still offering the highest quality customer care. Known as “homeshoring,” using home-based customer care professionals has already helped many healthcare organizations remain competitive in the current economic climate. These virtual companies have shown they can deliver better service than traditional brick-and-mortar centers, resulting in higher customer satisfaction, faster issue resolution, and greater patient empathy. Yet information privacy concerns and strict security regulations are still preventing some executives from exploring the use of home-based employees.

Preventing Unauthorized Access: Misuse of patient information is one of the most dreaded threats for any healthcare organization. For this reason, any virtual contact center that works with healthcare clients must be extra diligent when implementing security systems and processes to help prevent unauthorized access to sensitive data. The following are a few recommendations for network security within a virtual environment:

  • Firewalls: A firewall configuration, known as the firewall sandwich, is used by many virtual contact centers to protect both Web application servers and back-end systems. This configuration is particularly important when back-to-back firewalls exist at the boundaries of the service provider and enterprise network infrastructures.
  • Authentication: Multi-factor authentication processes are used to ensure that users are who they say they are. It is advisable for any log-on process to require the user to input something he or she knows, like a password, along with inserting something unique that the user has, such as a onetime token code from a security device. Additionally, contextual information can also be used to help confirm a user’s identity (for example, if the employee is scheduled to work during the period of the log-on attempt).
  • Authorization: Once users are authenticated, they should then be authorized to access only certain resources. Handling the authorization controls is the job of a triple-A (authentication, authorization, and accounting) server using policy-based management rules.
  • Virtual Private Networks: To reduce the risk of hackers attempting to “tap” into sessions or pretending to be legitimate users, cloud-based contact centers should utilize a virtual private network (VPN). VPNs establish encrypted “tunnels” through the public network by encapsulating traffic in special packets. The use of strong encryption, such as that afforded by the 256-bit Advanced Encryption Standard (AES), makes it practically impossible for hackers to snoop or hijack virtual private network traffic.

Preventing Information Misuse: The other security factor that must be considered when outsourcing to a virtual call center is the procedures in place to help prevent the misuse of information. After employees are approved, securing their home-office environment requires applying comparable layers of security found in a physical call center—but in different ways. Below are some best practices for making the work at-home arrangement as secure as possible:

  • Virtual Agents: Efforts to prevent the misuse of confidential information should begin with hiring the right people. Before an employee attempts to access an organization’s network, he or she should be thoroughly vetted prior to hire. At a minimum, this process should include background and criminal checks.
  • Computer Controls: It is strongly recommended that an at-home agent’s home computer be “locked” when in use for work. This can be accomplished using a special security application and typically prevents any information from being copied, logged, transmitted, or otherwise retained.
  • Software Updates: A best practice is to have a patch cycle that regularly installs system and security software patches and updates. This helps ensure the security software used is up-to-date with the latest version.
  • Host Integrity Checks: When working in a cloud-based environment, it is important to make sure all operating systems, applications, and security software are installed correctly and operating properly. This is done by through an endpoint HIC (host integrity check) performed every time an employee logs on. The HIC also validates the registry settings, confirms that no unauthorized application is currently installed, and verifies that the agent is attempting access at a scheduled time and via an authorized network.
  • Telephone Keypad Entry: Another best practice is to protect personally identifiable data by having customers enter sensitive information directly via the telephone keypad. “At the tone, please enter your credit card number.” The identifying information is then associated with the caller’s entire session, but it is masked on every screen so as not to be visible to the agent.

By following these security provisions, a cloud-based contact center can be made just as secure as a physical brick-and-mortar facility. To help select the right at-home contact center partners, it is strongly recommended that companies work with an organization that has been able to achieve third-party validated compliance of HIPAA, HI TECH Act, and Payment Card Industry Data Security Standards (PCI- DSS) Level 1 certification.

Rich Sadowski is vice president of Solutions Engineering for Alpine Access, Inc., a provider of employee-based virtual contact center solutions and services.

[From Connection Magazine April 2013]