Even though the utilization review (UR) industry and state workers’ compensation processes are not governed by HIPAA laws, participants in the industry still handle highly sensitive personal health information. It’s crucial that UR servicers and software providers protect confidential patient data. Here are three key features that help ensure total UR software security.
All communications between software entities and between users and the software should run through encrypted channels. Websites must use encrypted channels to protect data that transfers between clients’ or users’ browsers and the company’s site. Standalone software applications must also run through encrypted channels.
As an added measure, companies that provide software as a service can encrypt communication between individual machines in their data center. This way, even if the system is breached and a hacker takes control of a machine, the traffic inside the network is still protected. This gives the best protection against hackers intercepting the data flowing between machines.
Separation of Concerns
The term “separation of concerns” refers to the separation of each process within the application. For example, the only part of the whole application exposed to the outside world should be the server that receives requests from clients’ or users’ browsers. Software developers call this the “UI layer.”
The main processing and data transformations should take place on a deeper, more protected level that is not accessible to the outside world. This part of the system should only be accessible to machines in the UI layer, and only through proprietary communication standards developed for internal use.
Encryption at Rest
Even though the chance of a physical break-in is slim at most data centers, the fact remains that you may not know every person who has physical access to the computing equipment. Physical theft is rare, but results can be catastrophic when it happens. For this reason, personal health information stored on hard drives should be protected via encryption at rest.
With encryption at rest, the data is protected even when it is simply sitting on hard drives. If someone were to actually steal a physical drive, it will be useless if all the data on the drives are encrypted.
Although these are important security standards, not all companies make the effort to ensure their data is protected in all three ways. Some dangerously believe that they will not become a target, and they do the minimum to ensure security. Security is more important than ever, and anyone can be targeted. UR servicers need a software provider who takes security of your data as seriously as you do.