Protecting Patient Information Within The Cloud

By Rich Sadowski

Companies across the healthcare industry have started collaborating with virtual contact centers in an attempt to operate more efficiently while still offering the highest quality customer care. Known as “homeshoring,” using home-based customer care professionals has already helped many healthcare organizations remain competitive in the current economic climate. These virtual companies have shown they can deliver better service than traditional brick and mortar centers with results such as higher customer satisfaction, faster issue resolution, and greater patient empathy. Yet, information privacy concerns and strict security regulations are still preventing some executives from exploring the use of home-based employees.

Preventing Unauthorized Access: Misuse of patient information is one of the most dreaded threats for any healthcare organization. For this reason, any virtual contact center that works with healthcare clients must be extra diligent when implementing security systems and processes to help prevent unauthorized access to sensitive data. The following are a few recommendations for network security within a virtual environment:

  • Firewalls: A firewall configuration, known as the firewall sandwich, is used by many virtual contact centers to protect both the Web application servers and the back-end systems. This configuration is particularly important when back-to-back firewalls exist at the boundaries of the service provider and enterprise network infrastructures.
  • Authentication: Multi-factor authentication processes are used to ensure that users are who they say they are. It is advisable for any log-on process to require the user to input something he or she knows, like a password, along with inserting something unique that the user has, such as a onetime token code from a security device. Additionally, contextual information can also be used to help confirm a user’s identity, such as if the employee is scheduled to work during the period of the log-on attempt.
  • Authorization: Once users are authenticated, they should then be authorized to access only certain resources. Handling the authorization controls is the job of a triple-A (authentication, authorization, and accounting) server using policy-based management rules.
  • Virtual Private Networks: To reduce the risk of hackers attempting to “tap” into sessions or pretending to be a legitimate user, cloud-based contact centers should utilize a virtual private network (VPN). VPNs establish encrypted “tunnels” through the public network by encapsulating traffic in special packets. The use of strong encryption, such as that afforded by the 256-bit Advanced Encryption Standard (AES), makes it virtually impossible for hackers to snoop or hijack virtual private network traffic.

Preventing Information Misuse: The other security factor that must be considered when outsourcing to a virtual call center is the procedures that are in place to help prevent the misuse of information. After employees are approved, securing their home-office environment requires applying comparable layers of security as found in a physical call center but in different ways. Below are some best practices for making the work at-home arrangement as secure as possible:

  • Virtual Agents: Efforts to prevent the misuse of confidential information should begin with hiring the right people. Before an employee attempts to access an organization’s network, he or she should be thoroughly vetted prior to hire. At a minimum, this process should include background and criminal checks.
  • Computer Controls: It is strongly recommended that an at-home agent’s home computer be “locked” when in use for work. This can be accomplished using a special security application and typically prevents any information from being copied, logged, transmitted, or otherwise retained.
  • Software Updates: A best practice is to have a patch cycle that regularly installs system and security software patches and updates. This helps ensure the security software used is up-to-date with the latest version.
  • Host Integrity Checks: When working in a cloud-based environment, it is important to make sure all operating systems, applications, and security software are installed correctly and operating properly. This is done by through an endpoint HIC (host integrity check) performed every time an employee logs on. The HIC also validates the registry settings, confirms that no unauthorized application is currently installed, and verifies that the agent is attempting access at a scheduled time and via an authorized network.
  • Telephone Keypad Entry: Another best practice is to protect personally identifiable data by having customers enter sensitive information directly via the telephone keypad. “At the tone, please enter your credit card number.” The identifying information is then associated with the caller’s entire session, but it is masked on every screen so as not to be visible to the agent.

By following these security provisions, a cloud-based contact center can be made just as secure as a physical brick-and-mortar facility. To help select the right at-home contact center partners, it is strongly recommended to work with an organization has been able to achieve third-party validated compliance of HIPAA, HI TECH Act, and Payment Card Industry Data Security Standards (PCI- DSS) Level 1 certification.

Rich Sadowski is vice president of Solutions Engineering for Alpine Access, Inc., a provider of employee-based virtual contact center solutions and services. Alpine Access was recently named the best contact center and CRM outsourcer for client satisfaction by Datamonitor’s Black Book of Outsourcing.\

[From the June/July 2012 issue of AnswerStat magazine]