Security Health Check

How MetricAid secured its physician scheduling.
09:00 AM
Security Health Check

It’s not a stretch to assume that the last thing on your mind when you’re in the hospital is what SaaS-based solutions they’re using. You simply expect the highest level of care to be available when your life is on the line – regardless of the nuances.

However, myriad software and technology solutions used by hospitals are an integral aspect of each institution’s functioning and can affect the care you receive.

Working behind the scenes to ensure healthcare professionals have the best tools available is Canada-based emergency department physician scheduling as a service provider, MetricAid.

Their performance- and preference-based physician scheduling solutions help Canadian hospitals decrease wait times, improve patient outcomes and reduce readmission rates.

When the effectiveness of a software solutions is literally a matter of life or death, there’s no room for error.

A Man of Many Hats

Peering deeper into the technology solutions that keep patients alive in the ER, reveals an interesting reality, especially in the case of MetricAid.

At the center of it all is CTO/CPO Chris Jones. As a self-described “one-man IT operations department,” he’s responsible for ensuring every piece of software the MetricAid development team produces and used by its schedulers and physician clients is running securely.

That responsibility, he explains, isn’t taken lightly, especially with MetricAid’s small IT footprint.

“We’re almost too big to be called a start-up by some measures, but we’re still a young company and everyone still wears multiple hats, including me,” he said. “So it’s critical that each technology solution and vendor we use helps streamline our workload.”

Canadian Compliance Standards:
Personal Information Protection and Electronic Documents Act (PIPEDA) – Enacted in 2000, this act outlines the standards private-sector organizations must follow when collecting and sharing personal information collected electronically.

Digital Privacy Act (DPA) – In 2015, the Canadian Parliament amended PIPEDA by passing the Digital Privacy Act (DPA). This law requires notification in the event of a data breach. It also imposes obligations on nearly 250 federal government departments and agencies to respect privacy rights.

A Different Standard

The need for an efficient technology partner was particularly evident when MetricAid was looking to secure their cloud-hosting environment.

Not unlike its peers below the border, who are beholden to HIPAA, MetricAid has to meet the requirements of Canada’s own data regulations, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Digital Privacy Act (DPA), as well as numerous provincial laws pertaining to healthcare data.

However, that’s where the comparisons end. A key provision of Canadian healthcare data regulation is that ePHI data of Canadian citizens must be stored on Canadian soil. Hosting on a public cloud that is physically located anywhere outside of the country’s nearly four million square miles is not allowed.

This greatly limited the hosting and security options available to MetricAid. It forced them to choose between myriad solutions that at best could only provide some of what they were looking for.

It was a complicating factor that had Jones wondering how he could achieve hosting, security and compliance without tripling his workload.

“Security was becoming a full-time job for me, on top of my other full-time roles,” he said. “I was spending 8-16 hours a week manually checking log data. And when I wasn’t checking logs, I was worrying about what vulnerabilities I might be missing by not checking them.”

The challenge remained: he needed a security solution that would not only help him monitor and protect sensitive client data, but could also be integrated on top of his Canadian-based public cloud environment.

Anywhere and Everywhere

After conducting thorough due diligence, MetricAid found that Armor Anywhere, a cloud security stack, could protect any public cloud environment – regardless of country code.

Once installed on MetricAid’s environment, Jones had the data monitoring and vulnerability management technologies he needed to ensure complete protection of their client’s sensitive data.

According to Jones, Armor Anywhere practically began paying for itself on day one.

With his security team extended and empowered, Jones can get back to work on what matters most for MetricAid: ensuring Canadian ERs can operate at peak efficiency through innovative physician scheduling.

He may still be a “one-man IT Operations department,” but he’s certainly not on his own when it comes to cloud security.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.