Protecting Patient Information in the Cloud

By Rich Sadowski

Companies across the healthcare industry have started collaborating with virtual contact centers in order to operate more efficiently while still offering the highest quality customer care. These virtual companies can often deliver better service than traditional brick-and-mortar centers, delivering higher customer satisfaction, faster issue resolution, and greater patient empathy. Yet, information privacy concerns and strict security regulations are still preventing some executives from exploring the use of home-based employees.

Preventing Unauthorized Access: Misuse of patient information is one of the most dreaded threats for any healthcare organization. For this reason, a virtual contact center that works with healthcare clients must be extra diligent when implementing security systems and processes to help prevent unauthorized access to sensitive data. Here are several recommendations for network security within a virtual environment:

  • Firewalls: A firewall configuration, known as the firewall sandwich, is used by many virtual contact centers to protect both Web application servers and the back-end systems. This configuration is particularly important when back-to-back firewalls exist at the boundaries of the service provider and enterprise network infrastructures.
  • Authentication: Multi-factor authentication processes are used to ensure that users are who they say they are. It is advisable for any log-on process to require the user to input something he or she knows, like a password, along with inserting something unique that the user has, such as a onetime token code from a security device. Contextual information can also be used to help confirm a user’s identity, such as whether the employee is scheduled to work at the time of the log-on attempt.
  • Authorization: Once users are authenticated, they should be authorized to access only certain resources. Handling the authorization controls is the job of a triple-A (authentication, authorization, and accounting) server using policy-based management rules.
  • Virtual Private Networks: To reduce the risk of hackers attempting to tap into sessions or pretending to be legitimate users, cloud-based contact centers should utilize a virtual private network (VPN). VPNs establish encrypted tunnels through the public network by encapsulating traffic in special packets. The use of strong encryption, such as 256-bit Advanced Encryption Standard (AES), makes it virtually impossible for hackers to snoop in or hijack virtual private network traffic.

Preventing Information Misuse: The other security factor that must be considered when outsourcing to a virtual call center is making sure that procedures are in place to help prevent the misuse of information. After employees are approved, securing their home-office environment requires applying comparable layers of security found in a physical call center but in different ways. Below are some best practices for making the work at-home arrangement as secure as possible:

  • Virtual Agents: Efforts to prevent the misuse of confidential information should begin with hiring the right people. Before an employee attempts to access an organization’s network, he or she should be thoroughly vetted. At a minimum, this process should include background and criminal checks.
  • Computer Controls: An at-home agent’s home computer should be “locked” when in use for work. This can be accomplished using a special security application, which typically prevents any information from being copied, logged, transmitted, or otherwise retained.
  • Software Updates: It’s best practice to have a patch cycle that regularly installs system and security software patches and updates. This helps ensure that security software is up-to-date.
  • Host Integrity Checks: In a cloud-based environment, it is important to make sure that all operating systems, applications, and security software has been installed correctly and is operating properly. This is done through an endpoint HIC (host integrity check) that is performed every time an employee logs on. The HIC also validates the registry settings, confirms that no unauthorized application is installed, and verifies that the agent is attempting access at a scheduled time and via an authorized network.
  • Telephone Keypad Entry: Another best practice is to protect personally identifiable data by having customers enter sensitive information directly via the telephone keypad: “At the tone, please enter your credit card number.” The identifying information is then associated with the caller’s entire session, but it is masked on every screen so as not to be visible to the agent.

By following these security provisions, a cloud-based contact center can be made just as secure as a physical brick-and-mortar facility. Additionally, it is strongly recommended that contact centers work with an organization that has achieved third-party validated compliance of HIPAA, HI TECH Act, and Payment Card Industry Data Security Standards (PCI- DSS) Level 1 certification.

Rich Sadowski is vice president of Solutions Engineering for Alpine Access, Inc., a provider of employee-based virtual contact center solutions and services.

[From Connection Magazine October 2012]

Leave a Reply

%d bloggers like this: