Atlantic Business Technologies, Inc.

Category: Healthcare

  • Testing for HIPAA Compliance

    Testing for HIPAA Compliance

    Healthcare organizations rely heavily on software systems to manage patient data. However, with the increasing risk of data breaches and cyberattacks, testing for HIPAA compliance is extremely important to protect patient health information (PHI) and ensure regulations are met. This involves a rigorous evaluation of the software’s security measures, privacy protocols, and data protection mechanisms to safeguard sensitive patient data.

    Understanding HIPAA Compliance

    The Health Insurance Portability and Accountability Act (HIPAA) sets standards for the privacy and security of PHI. It outlines specific requirements that healthcare providers and their business associates must follow to protect patient information. These requirements include:

    • Access controls and monitoring: Limiting access to authorized personnel.
    • Data integrity: Ensuring the accuracy and completeness of PHI. 
    • Data transmission: Protecting PHI during transmission.
    • Security safeguards: Implementing technical, administrative, and physical safeguards to protect PHI data. 

    Testing for HIPAA Compliance

    By conducting comprehensive testing, healthcare organizations can verify that their software systems meet the necessary standards for protecting patient privacy and security. The following is recommended:

    1. Do a Risk Assessment: 
      • Identify potential vulnerabilities and risks to the PHI.
      • Prioritize risks based on likelihood and impact.
      • Develop a risk management plan to address identified vulnerabilities.
    2. Verify Security Controls:
      • Test access controls to verify that only authorized individuals can access PHI and that appropriate permissions are in place to prevent unauthorized disclosure.
      • Evaluate encryption mechanisms to ensure that PHI is protected during transmission and storage.
      • Assess data backup and recovery procedures to ensure that PHI is protected against loss or corruption.
      • Check the software’s ability to audit and monitor user activities, providing a record of who accessed PHI and when.
    3. Evaluate Data Integrity: 
      • Test data validation and error checking to prevent incorrect or incomplete data entry.
      • Verify data backup procedures and disaster recovery plans.
      • Make sure that data is stored in a consistent and accurate format and is protected against loss or corruption.
      • Assess data auditing and monitoring capabilities to detect unauthorized access or modifications.
    4. Transmission Security:
      • Test secure communication protocols (e.g., HTTPS) to protect PHI during transmission.
      • Evaluate encryption algorithms used to secure data in transit.
      • Assess the security of wireless networks and devices used to access PHI.
    5. Business Associate Agreements:
      • Ensure that business associates have appropriate safeguards in place to protect PHI.
      • Verify that business associate agreements comply with HIPAA requirements.

    Testing for HIPAA compliance is an ongoing process that requires continuous evaluation and improvement. By conducting thorough testing and addressing identified vulnerabilities, healthcare organizations and their business associates can protect patient privacy and maintain regulatory compliance.

  • Failed RFPs are expensive. Here’s how to find better vendors.

    Failed RFPs are expensive. Here’s how to find better vendors.

    When you find yourself in a scenario where custom software is essential, you have three options:

    1. Develop the custom software in-house.
    2. Find a partner to handle the entire project.
    3. Partner with a vendor who integrates with your team.

    This middle ground of working closely with a vendor leads to writing an RFP and evaluating responses.

    Why do RFPs fail?

    Many RFP partnerships fail due to poor vendor selection or unclear project requirements and deliverables outlined. You may have even lost faith in the process of trusting partners altogether.

    Consider that it might not be the RFP process that’s failing, but rather using outdated methods for evaluating your partners. After all, they’ve probably responded to enough RFPs that they’ve learned what you want to hear at the surface level.

    Try these evaluation tactics to dig deeper and choose better partners.

    1. Stop using price as a measure of quality.

    We are trained to believe that price and quality is a linear relationship: the more you pay, the higher the quality and the less you pay, the lower the quality.

    However, price is not exclusively tied to a company’s output. It’s also closely tied to internal efficiency and how streamlined internal processes may be.

    A vendor who has found a highly efficient way to produce a quality product may have the same price as a company who cuts corners to produce a low quality product.

    According to CIO.com, “The highest priced technology partners often spent longer amounts of time on the project, with too many unnecessary staff members and account managers. On the other hand, the lower end of the market often lacked the skill and technical ability to produce consistent quality.

    Picking a technology partner is a completely different experience than shopping on Amazon. You cannot go to a vendor and simply pick the lowest price for the exact service you need. It can be a nuance-filled and complex process.”

    For this reason, your perfect partner is likely in the middle ground of high and low price.

    2. Rely on references over examples.

    Most organizations like to see vendors’ examples of past work and testimonials to help them evaluate expertise. This may come in the form of case studies or quick client quotes.

    The problem is, these are surface-level validators that can skim over some of the important nitty gritty. You’ll want to take a step further. Always ask for references to discover:

    • How the vendor handled issues that arose during the process
    • How the vendor performed in terms of budget and timeline
    • If the final product was satisfactory and truly provided business value

    3. Look for a warranty.

    Vendors who truly believe that their services will be satisfactory will offer some sort of guarantee. This may be in the form of month-to-month contracts, commitment to fixing bugs for free, or free work when a project exceeds budget.

    4. Seek vendors with flexible processes.

    Is your vendor the same? What happens when two rigid organizations work together? Look for a partner who can mold their development, deployment, project management, and billing processes to fit your organization’s standards.

    Need help with custom software development?

    Whether you need help defining business requirements, writing an RFP, or are in the stage of looking for vendors; we’d love to learn more and see how we can help! Get in touch for a free consultation.

  • Atlantic BT Becomes SOC 2 Type I Certified. What’s Next?

    Services Organization Control 2 (SOC 2ÂŽ) is a thorough technical audit that requires companies to follow strict security procedures. Attaining a SOC 2ÂŽ report ensures that Atlantic BT is providing safe cloud environments for our clients, both protecting their private data and having a plan of action for detected threats.

    While Atlantic BT completed a SOC 2Ž Type I Audit examination on April 1st 2019, we are currently pursuing SOC 2Ž Type II. Our goal is to give clients peace of mind with our cloud solutions, educate on security measures, and continue to stay up-to-date with industry standards to prevent future threats.

    Type I vs. Type II: What’s the Difference?

    SOC 2® engagements are performed in accordance with the American Institute of Certified Public Accountants’ (AICPA) AT-C 205, Reporting on Controls at a Service Organization and based on the trust service principles outlined in the AICPA Guide. The SOC 2® Type I report is performed by an independent auditing firm and is intended to provide an understanding of the service organization’s suitability of the design of its internal controls.

    Type I and Type II both involve reporting controls and processes related to five principles: Privacy, Security, Availability, Processing Integrity, and Confidentiality. Atlantic BT is focusing on Security, Availability, and Confidentiality.

    The primary difference is that Type I confirms our security controls at a single point of time, assuring that all of the proper policies and procedures are in place. On the other hand, Type II spans over six months, assuring that these processes are effectively working.

    How Atlantic BT Became SOC 2ÂŽ Type I Certified

    SOC 2ÂŽ Type I is a starting point that paves the way for Type II. Some examples of the measures we took to achieve our Type I certification include:

    • Use of encryption protocols to protect customer data
    • Designing with tiered access for client accounts
    • Ongoing management of capacity demand
    • Required internal training courses to help employees spot suspicious activity

    Skoda Minotti, an international business advisory firm, was selected to conduct the final audit. Atlantic BT received its SOC 2ÂŽ Type I certification after thorough testing and review.

    [pull_quote]We were excited to work with Atlantic Business Technologies from the very start. They are an intriguing organization delivering high quality services and their business adds to our growing SOC reporting practice.[/pull_quote]

    Ben Osbrach, CISSP, CISA, QSA, CICP, CCSFP, partner-in-charge of Skoda Minotti’s risk advisory group

    What This Means For Partners

    It is a requirement for many companies to work with SOC 2ÂŽ compliant software partners. Businesses handling sensitive data or working in highly regulated industries, for example being subjected to HIPAA compliance regulations, are required to work with SOC 2ÂŽ compliant providers.

    In general, any security-conscious business can count on the rigorous auditing process to hold companies to a high standard.

    What’s Next for ABT?

    Atlantic BT will undergo audits on an annual basis to maintain their SOC 2ÂŽ report and continue to apply best practices by maintaining logs of their application of these SOC 2ÂŽ controls, policies, and procedures to ultimately achieve SOC 2ÂŽ Type II. Committed to quality, we will continue this voluntary process to provide top-notch service and expand our capabilities.

    [pull_quote]The successful completion of our SOC 2ÂŽ Type I examination audit provides Atlantic BT’s clients with the assurance that the controls and safeguards we employ to protect and secure their data are in line industry standards and best practices.[/pull_quote]    – Matt Lemke, President of Atlantic BT

    We are happy to further discuss our SOC 2ÂŽ certification or help you plan for any of your security needs. If you are interested in learning more about our cloud and cybersecurity solutions, reach out to schedule a free consultation.

  • How to Innovate in a Highly-Regulated Environment

    ABT helped Mutual Drug navigate a highly-regulated environment to provide a modern, user-friendly application which met and exceeded industry standards. Here’s how we modernized this healthcare website.

    Needed: A Secure and Streamlined Ordering System

    Pharmacists and pharmacy managers must maintain an inventory and order replenishment stock, just as any business selling physical products. However, pharmacies have the additional challenge of meeting the regulatory requirements of dealing with controlled substances (drugs that require a doctor’s permission to use). Specifically, any electronic ordering system they build or use must be compliant with the Controlled Substances Ordering System (CSOS) requirements of the Drug Enforcement Administration (DEA). This basically requires pharmacists to digitally sign orders for controlled substances in order to verify the authenticity of the order.

    Atlantic BT’s client, NC Mutual Drug, is a pharmaceutical distributor with $1.2B+ in B2B volume. Their existing system, while CSOS-compliant, was cumbersome to use and required logging in and navigating two different systems. The client tasked us with designing and building a new system that was secure, highly available, fault tolerant, fully compliant with CSOS requirements and, most importantly, simpler and faster to use than their previous system. Achieving these objectives made it easier for the client’s customers to place small orders more frequently, thus reducing the need for bulk orders and product stockpiling.  

    Performing 11 Validations without Losing Your Mind

    Conceptually, the technical challenge was straightforward: enable the standard required use of Public Key Infrastructure (PKI) to manage a system of digital signatures which could then be used to encrypt and ensure the authenticity and security of orders for controlled substances. This kind of technology is often integrated with web applications to facilitate the secure electronic transfer of information for a range of activities such as e-commerce, internet banking and confidential email.

    Straightforward, however, did not mean simple—we had to design, build, and test a robust, scalable, secure system that would perform eleven validations for each transaction, yet be simple and efficient for the user. After working closely with the client to understand all the usability and functional requirements, we proposed a design to meet their needs.

    Following the Rules, Even When They’re Old

    The real challenge was to implement this standard in a way that was efficient and intuitive yet compliant with standards written over a decade ago (and hence technologically outdated).

    Making matters even more complicated, the detailed requirements of implementing a CSOS-compliant system are scattered over 300+ pages of over a half-dozen government documents. On top of that, the final system would have to be certified by a 3rd-party auditor. Given the dispersed requirements and 3rd-party verification, development of a compliant CSOS system could become a very long, expensive process if not managed carefully.

    We needed to design a more modern web application which would perform both the client and server actions on a consolidated platform—while satisfying standards written more than 10 years ago. 

    Solution: Communicate, Iterate, and Evaluate

    To resolve any open questions, early in the process we contracted with an established 3rd party CSOS auditor to evaluate the application. Atlantic BT worked closely with the auditor to share documents and information so they could provide feedback on the development direction. Atlantic BT then performed multiple internal audits and tests to save our client the significant costs of multiple official audits.

    After extensive back-and-forth discussion with the client and the auditor, including a couple of challenges both to the requirements and to the proposed solution, all parties agreed a slight modification to ABT’s original design would meet both the client’s requirements and the standard. We built the system to the agreed-upon design, tested it, and had it evaluated by the auditors, who approved and certified the application as compliant.

    Result: Elegant Compliance Meets Streamlined Usability

    NC Mutual Drug now has a state-of-the-art solution for their customers to easily, securely place orders for their pharmaceuticals, including controlled substances. They can now rest assured they have a much more robust, fault-tolerant, scalable system that can easily grow with them into the future.

    Beyond stability and compliance, a validation process that formerly took 3+ minutes and multiple systems can now be completed in 30 seconds on a single interface. Considering NC Mutual Drug’s  operation runs hundreds of these processes every day, this exceptional boost in efficiency frees up member pharmacists to perform more important tasks to protect customer health.

    Get a more detailed look at the system Atlantic BT delivered by reading our in-depth writeup of Mutual Drug’s new CSOS system.

  • Happiness Can be Found, Even in the Darkest of Web Projects

    Institutional web projects are a beast. Revamping a website for Higher Education or Government is no easy feat. But, there are many business owners, CEOs, and executives who will say it was the best decision they ever made. Alas, there are just as many, if not more, who will report that their projects failed. It took too long, cost too much, and left them feeling disappointed or underwhelmed.
     
    There are a lot of reasons why a new website might not succeed or the process will drag on longer than expected. But, the happiest web development clients always have a few traits in common. If you want to avoid the major pitfalls associated with putting a large website together, read on. Here are a few examples you should follow.

    Begin With a Firm Set of Goals

    All successful web development projects begin with a firm set of goals. These goals are measurable. There is another plan in place to assess if the website has met or exceeded expectations. Knowing the specifics of what you want your website to do, puts everyone in a good starting position. A strong development team can generate a plan that moves you in the right direction.
     
    Without concrete goals, there is nowhere for your project to go. If there is a great deal of ambiguity about what would constitute success, then real results will be hard to see. Also crucial to your projects goals are the stakeholders. If they disagree on what the priorities should be, then no one will be able to move forward and be productive. It’s likely that the project outcome will be disappointing. 

    Get Participation From Many Levels of the Organization

    You can’t handle complex web development in a completely top-down fashion. Senior executives might be responsible for approving the project. But, don’t forget to allow middle managers, employees, and users to have some input. They all have different perspectives that can be valuable. Creating your website based on the needs of those who access it, is the whole point. As a result, these insights may end up having the power to turn your project into a success or failure. With the participation of your users, you have a lot of great information to build on. Without them, how can you understand the ultimate purpose of your website?

    Be Involved in the Development Process

    Some new clients come to us with many assumptions. One of them is that we can work from start to finish with only a set of design concepts and a wish list. That would be nice. And flattering, even. But it never leads to happiness. That’s why a good web development team is going to dive into an extensive discovery phase. Every piece of information, forwards and backwards, is valuable.
     
    Web design projects, however, are evolving things. There is a clear path for the team to follow, but new discoveries will occur along the way. Ongoing decisions will pop up and the direction may change here and there. This means that consistent communication is key to the success of your project. Timely and insightful feedback will help your team stay on track with your vision. As a result, you’re going to be more pleased with the work they produce.

    Choose a Vendor Based on ROI

    There will be many proposals that come your way (you lucky duck). But, as tempting as it may be, you don’t want to choose the one that looks too good to be true. Because it is too good to be true. The lowest investment? The fastest delivery time? Can we all be honest with each other, here? And do these things really matter?
     
    Successful clients make their decisions based on different criteria. What matters to them is the returns they expect to reap from the project. It’s more important to pay attention to results. Minor differences in your short-term budget do not have the same long-term affects. Expenses and deadlines matter, of course. But, not as much as the quality of work you’ll receive in return.

    Want to Make Sense of the Complex Web Development Process?

    At Atlantic BT, we’re not fans of bombarding clients with technical jargon and computer gobbledygook. We help our clients find real-world answers to the questions and challenges they face. If you’re considering building or overhauling a large website, there is a way to make it easier. Schedule a free consultation with our team. We’ll be happy to address the issues that are on your mind. Even better, we’ll give you some customized recommendations to move forward with. That’s how we roll.

     

  • Employing New Technology for an Innovative Health Clinic

    Atlantic BT is proud to announce a new partnership with Wake Forest Baptist Health and Allegacy Federal Credit Union for their joint endeavor, WellQ.

    Allegacy Wake Forest Baptist Health WellQ

    WellQ is a first of its kind health clinic and credit union. The clinic provides on-site medical services for minor illnesses. It also provides financial planning and education. Other services offered for individuals include:

    • Wellness checks 
    • Health and financial workshops
    • Personal and medical budgeting tools
    • Monitoring of chronic conditions 

    This is just the beginning. Companies can also employ WellQ for employee use.  

    WFBH and Allegacy created WellQ to enhance the physical and financial health of its members. They saw a correlation between personal well-being and stress caused by both financial and health issues. And so, WFBH and Allegacy decided to combine forces to alleviate that type of anxiety. Allegacy President and CEO, Cathy J. Pace, says, “Healthcare expense can be one of the top costs for families and a WellQ membership can be a vital part of financial planning for those who need an affordable, convenient place to go for minor illnesses, as well as valuable financial education and planning assistance.” The WellQ project needed a team player who wouldn’t shy away from challenges and new ideas. Atlantic BT jumped on board.  

    Creating New Services From Scratch

    WellQ

    The partnership between the three companies had a positive and productive start. A well-communicated kick off session resulted in a strong vision for moving forward. Every step and goal was clear to all involved. The long term objectives of the WFBH/Allegacy team were inspiring. Atlantic BT began to develop software that would lay the groundwork for WellQ’s inaugural website. The aim was to create a strong foundation for the initial establishment of WellQ, as well as the big plans in store for the future. 

    Modern Technology For a Strong Future

    WellQ offered a particular and unique set of services. ABT utilized Angular and other new technology to provide the most up to date platform and site abilities. This custom healthcare software allows users to sign up for a membership. Then they can log in and manage their membership through a dashboard. All options and plans are kept and organized efficiently in one place. WellQ employees are also able to utilize the software to track clinic visits and member needs. Json Web Tokens (JWT) work to securely manage user information. JWTs verify a member and authenticate shared data between that member and WellQ. All personal health and financial records remain safe and tamper-free. Angular offers modern, clean code that allows the WellQ site to be more than a simple, static page. The site includes interactive, app-like features to enhance the UX. As ABT .NET Developer Dan Sweet says: 

    “It’s a rare opportunity to develop a website for a brand new company. ABT worked in tandem with the physical building of the new office, bringing life to the idea both on- and offline. Being the first means less to emulate and an increased number of risks involved to see if this brand new idea would work. The WellQ process remained flexible for all teams on board to accommodate changes and adjusted needs as the project evolved. This flexibility allowed for stronger work to be produced in a supportive team environment.”

    WellQ – Powered by Dedication and Partnership

    The result was the building of something wholly original. Atlantic BT will continue to be on deck as WellQ grows. We will adapt the dashboard software to accommodate new services. Customer feedback inspire UX design and WellQ’s marketing presence. With ten production departments, ABT is uniquely situated to provide a wealth of knowledge across the internet spectrum. Daniel Hooks, Director of Project Management said it best. “You have to care. That is part of the value that ABT provides. We’re personally invested in the success of every project we work on.”

    WFBH, Allegacy, and Atlantic BT are all dedicated to serving their communities. Providing opportunities for others to receive the care they need is important. Helping others be aware of how their health can affect their financial future (and vice versa) is empowering for all involved. ABT is proud to move forward with this partnership. We will continue to create exemplary work that strengthens clients and consumers alike.  

    Interested in partnering with Atlantic BT? Contact us here.