Recently I attended a NorCal HIMSS Meetup gathering where the focus was on HIPAA, and had a chance to chat with a few hospital administrators who were discussing compliance. They talked about how every technology vendor now claims to be HIPAA compliant, but it’s up to the hospital to do due diligence to evaluate a vendor’s products to validate the vendor’s claims.
I disagree that a hospital should have to prove that a technology solution is secure. Proving a solution is secure is a vendor’s responsibility.
Everybody says they’re HIPAA compliant, but are they?
A hospital should be suspect of any vendor who claims to be HIPAA compliant. A vendor can enable HIPAA compliance. But the vendor can’t guarantee that the deployed solution will be HIPAA compliant because so many controls are out of the vendor’s hands.
HIPAA compliance is a joint effort between a vendor and a hospital. What hospitals should be looking at is:
- Does the vendor prove that they enable HIPAA compliance?
- Has the compliance claim been validated by a third party auditor to ensure the vendor has correctly implemented controls and technologies?
- Has a third party validated that the vendor has correctly implemented encryption and cryptophytic modules? (Everyone should use encryption and most vendors do. Third-party validation is the critical measure.)
Vocera strives to prove that our products enable HIPAA compliance through a number of national defense credentials, and industry validation.
For example, our core voice solution received an Authorization to Operate on Army hospital networks. The Vocera® Communication Badge received Federal Information Processing Standard (FIPS) 140-2 Certification. Our core communications systems are Joint Interoperability Test Command (JITC) certified, which means the U.S. Department of Defense approved them for use on its secure networks. The Veterans Administration (VA) has deployed our communication platform in more than 40 VA locations nationwide and more than 20 DoD facilities worldwide.
From an industry perspective, the Vocera Cloud Platform meets the criteria defined by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles.
No vendor of communication solutions for healthcare comes close to our depth and breadth of security credentials and validation. Most don’t have any of these credentials at all.
Secure enough for FISMA, secure enough for HIPAA
At Vocera, I’m part of a team that’s bringing security into the core business. I get to touch every aspect of the security spectrum. This includes things like scanning for vulnerabilities in our products, vulnerability fix and mitigation, product certification, responding to proposals, and interfacing with our commercial and federal customers on security and compliance issues.
I came to work for Vocera in 2012 after nearly 17 years in the military and defense sector. I spent seven years in active duty and ten in defense contracting focused on IT, software development, and security. Cyber security was a big part of everything we did. The military applies the most rigorous security standards available to its communication systems, and I’ve worked to bring many of those standards to Vocera.
I use the Federal Information Security Management Act (FISMA) framework for my approach in securing Vocera’s products. This framework as a base maps really well to HIPAA/HITECH, ISO, and SOC.
What I’m most proud of
It was a major accomplishment to get the Vocera Communication Badge through FIPS 140-2 Certification. I am most proud of getting three generations of the Vocera Badge through FIPS 140-2 validation and being able to keep our solution on the DoD Approved Products List. With confidentiality, integrity, and availability becoming such a focal point with our non-federal customers, I like that Vocera is pursuing commercial certifications and third party validations as well.
Our commercial customers benefit from Vocera having achieved certifications and validations from the DoD and the VA; it takes less work for their security teams to verify that Vocera solutions are secure and robust.
What I enjoy most about working at Vocera is that we make product security a priority, and that our customers are shifting in the same direction and challenging us to innovate. For example, we worked with the Fort Belvoir team put the Vocera solution through the DoD Information Assurance Certification and Accreditation Process. We initially designed Vocera technology for use in commercial environments, and we had to make many system changes to lock down and harden the solution to comply with DoD security requirements while maintaining excellent system performance.