Health Data Insights Enhances Regulatory and Policy Compliance

Leading health care claims integrity provider attains effective vulnerability management within their data center and remedies web application flaws.

Health care fraud is costing the U.S. tens of billions of dollars every year according to industry experts, a trend that is expected to continue to rise as more health records move from paper to digital. Health Data Insights (HDI) finds itself right at the center of that battle. HDI is the leader in health care claims integrity and provides organizations the tools they need to identify fraud, waste, abuse, errors, and improper payment. HDI’s clients include public agencies, such as the Centers for Medicare and Medicaid (CMS) as well as a number of the largest commercial health care payers in the U.S.

To identify health care clams fraud, HDI has designed and built sophisticated, proprietary analytics capabilities that analyze all of a payer’s claims data for anomalies. Currently, HDI vets $300 billion in paid claims every year.

When accessing sensitive health care-related data, keeping that data secure is critical. That means not only controlling the access to the data but also ensuring that all of the associated HDI systems are secured and maintained in a state free of critical security vulnerabilities.

In fact, having an effective vulnerability management program in place is one of the foundations of most of the IT security regulatory mandates HDI must contend with, including the Health Insurance Portability and Accountability Act and maintaining systems to the rigid security requirements of being an IT Centers for Medicare and Medicaid services provider. HDI also must pass the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization (formally SOC 1) examination.

Building an Efficient Vulnerability Management Lifecycle

Effective vulnerability management is crucial to maintaining a healthy security posture – especially today. New software and operating system flaws are discovered every day. Add to that, the new devices and applications that are being added to more networks every week. And as new features and capabilities are layered within existing applications, the risk of security-related flaws being introduced escalates. All of these changes create new risk, and companies need to consistently assess their systems for new vulnerabilities if they are to stay ahead of the risk.

To succeed, enterprises need the right toolsets and processes in place so that they are always aware of what devices are on their network, the operating systems and software these devices run, what flaws may be present, and how to remedy at-risk systems.

Kurt Smith, VP of IT security of HDI, knows this cycle well. With a tight security team of three, Smith and his group need to be able to continuously assess and secure dozens of web applications and roughly 300 production servers. “When we started looking for a vulnerability assessment tool, we needed something that wouldn’t be expensive, but would make it easy for our team to run our own assessments,” Smith says. HDI also needed to be able to create vulnerability reports that could be presented and quickly understood by regulators and external security assessment teams when they arrived to conduct their audits and assessments. Smith also required the vulnerability assessment software to be centrally managed, so team members could perform their system scans independently.

Surprisingly, HDI found many vulnerability assessment tools on the market didn’t meet those needs. In fact, many were not only costly, but required expensive on-premise servers and software that had to be built and manually maintained. To make matters more challenging, their assessments often are inaccurate and they produce reports that are not only difficult for security teams to read but literally incomprehensible to most auditors and business managers.

HDI Selects the Enterprise TruRisk Platform

After a careful evaluation, HDI selected the Enterprise TruRisk Platform. The Enterprise TruRisk Platform, delivered from a highly scalable multi-tenant cloud infrastructure, delivers a suite of information security and regulatory compliance management services. Qualys’ hosted Internet scanners provide fast and efficient external vulnerability assessments. Qualys’ Internet scanners, designed and optimized to scan publicly facing devices, deliver highly accurate and scalable security tests.

With Qualys, there’s no software or hardware to install and maintain because Qualys maintains all of the systems and security checks necessary. And because Qualys is centrally managed, all of its vulnerability data and system updates are made in real time and are available to all customers concurrently. In addition, Qualys provides the largest KnowledgeBase of vulnerability signatures in the industry, with currently more than 25,000 security checks, and Qualys performs more than one billion IP scans a year.

“The Enterprise TruRisk Platform was something that we were able to confidently choose for a relatively low cost, while improving our level of preparedness for when auditors arrived. With Qualys, we can provide them very comprehensive, yet understandable, reports,” Smith says.

HDI put the Enterprise TruRisk Platform to use immediately, and was able to quickly identify and remedy flaws found in its externally facing systems. “We appreciate its very usable interface, and the fact that it’s always available to conduct assessments without requiring any hardware,” Smith says. “With Qualys, we’re able to conduct vulnerability testing and quickly see everything on the perimeter that needs to be remedied.”

The scans provided by the Enterprise TruRisk Platform not only identify new vulnerabilities but also new devices and servers as they are put on the network. This way, if someone places a new application or system on HDI’s Internet-facing network, Qualys will spot it right away. “The discovery scan has proven incredibly helpful,” Smith says.

Extending the Enterprise TruRisk Platform to Secure Web Apps

Soon, HDI will be undergoing its SSAE No. 16 (SOC 1) assessment. For that, Smith and his team need to make certain that their systems are not only ready for a thorough security evaluation but that the auditors will be able to see proof that a comprehensive, sustainable vulnerability management program is in place. “They literally look over everything. They have a team that spends about a week at your offices doing nothing but trying to find [security] holes,” he says. “Qualys helps us to be very prepared for this assessment.”

As is the case with most enterprises today, HDI is constantly developing new applications, as well as enhancing existing ones. And to make certain that this development is done securely, security teams need to be a part of the development process. “Qualys Web Application Scanning is helping us to get that done,” he says.

HDI recently expanded its use of Qualys to include Qualys Web Application Scanning (WAS). WAS is a cloud service that provides automated crawling and testing of custom web applications to identify web application vulnerabilities, such as cross-site scripting (XSS) and SQL injection. This automated web application scanning service enables regular testing that produces consistent software security improvements, reduces false positives better than other web application scanners, and easily scales to secure a large number of web applications.

Today, HDI uses Qualys WAS to regularly assess the custom web applications it uses to detect health care claims. “These assessments have to be regular, because every time developers make updates to any application, there's a chance for new vulnerabilities. And every time they roll out of a new version of an application, we have to make sure no new flaws are being introduced,” Smith says.

Qualys WAS has also helped HDI’s security team to share security responsibilities with the company’s development team. With the ease that Qualys WAS can be used to assess applications, developers can conduct assessments themselves, with Smith and his team receiving ongoing status reports. “The developers are going to continue to use it as a part of their quality assurance testing. That takes a big workload off security. It's nice to be able to hand a tool to development and let them run with it themselves,” he says. “It’s just another reason why Qualys has proven to be the best choice for us.”