One of the main advantages of using Managed Services, is that the complexity of managing systems is absorbed by the Cloud Service Partner providing the service. Providers have a well-documented responsibility to manage their patients and customers privacy and data, however, so there is a need to ensure that all parties have a broad understanding of those managed complexities. In this blog, we will explore a number of the security and privacy principles and techniques that Orion Health’s latest offering, Rhapsody as a Service (RaaS), utilises.

Industry Leading Cloud Hosting

When a new customer chooses Orion Health’s RaaS, an account is created in Amazon Web Services (AWS) and everything is deployed within that, in the closest region. The requisite operating system (OS) is installed and hardened using the STIG model to ensure that no vulnerabilities are exposed at an OS level. This enforces the most obvious security measures, as well as many important rules around networking, running processes, OS module versions, etc. 

100% Hands-Off Approach For Extra PHI Security

To create an optimal environment for data protection, Orion Health takes a hands-off approach to DevOps. Orion Health Engineers do not have physical or logical access to customers’ infrastructure and use industry-leading automation to manage the system. The engineers develop, test, and productionise the software behind the automation, and use it for provisioning, support and maintenance. This enables Orion Health to reduce the cost of support and maintenance, and enables scalability while removing the risk of accessing PHI/PII Data. 

All of the processes and tools used in the automation are independently audited and have an appropriate Authentication/Authorisation system with MFA and expiring sessions that ensures each Site Reliability Engineer has the minimum necessary permissions to perform their function. These services have been built to meet HIPAA and GDPR requirements. Each customer environment is isolated from the Cloud Provider Account so that everything that is dedicated to a customer is entirely isolated.

Inbound and outbound connections to the public internet within RaaS are also tightly controlled, allowing access only where it is strictly necessary and thoroughly justified i.e. security repositories to keep the OS secured and updated. Additionally, a virtual private network (VPN) is dedicated to each customer, with all external and internal network connections encrypted.

24/7 Security Operations Centre (SOC)

Orion Health SOC monitors RaaS 24/7 using a set of tools, processes, and team members who run intrusion detection, file access prevention, and other security related activities. The team is responsible for auditing the normal operation of RaaS and providing consultancy and guidance to ensure Orion Health’s security and compliance services remain at a world class level. The Security and Compliance Department is trained in the technical skills required to perform such tasks. They are experts in compliance with all the Health Industry Security Standards (HIPAA and GDPR) and are responsible for Orion Health’s HITRUST certification. 

Self-Healing AI

The system’s monitoring component focuses on performance and stability, and continuously monitors the RaaS services provided to all customers. To further optimise the system, AI has been developed to monitor the metrics that are also available to users as dashboards. Automated systems are now more predictable, better protected and isolated, and able to react quicker than humans. The AI solution has the capacity to get to the root cause of a problem when it happens to instantly apply corrective actions. This reduces the need for manual intervention and removes opportunities for human error, accidental data exposure, etc. while reducing the mean time to recover, improving Orion Health’s availability and reducing human resource costs. So when an incident happens, the monitoring system discovers the issue, identifies the root cause, and then promptly fixes it.

Only when the AI cannot identify the cause, doesn’t have a solution, or the expected solution didn’t work; will it escalate the alert to a human engineer from Orion Health’s 24/7/365 on-call team who can fix the issue via automation – instead of hands-on intervention.

A State-Of-The-Art Platform

Orion Health has built a state-of-the-art platform to provide Rhapsody as a Service to their customers. The result is a system with the highest levels of quality, security and performance. Rhapsody Engines have an availability of 99.5% and the availability for the Data Store is 99.75% with a mean time to repair of less than 10 minutes for most failures.

Backups of the configuration are taken daily, encrypted and stored in a separated geographical location for safety, recovery, audit and forensic purposes and can be used to roll-back configuration changes if needed. Orion Health can add new engines to the customer environment in a matter of hours without interruption of the service and they can be scaled up (scaling the same engine with more CPU and/or Memory) with a very brief outage (<10m).

Rhapsody as a Service has been designed with Security and Privacy in mind, following HIPAA and GDPR standards and undergoing a HITRUST certification. Automation has been used to further increase security, improve quality of service and reduce at-the-forefront costs.

Orion Health continues to utilise world class standards and practices while surpassing market expectations with features like the exclusive “Hands-Off” DevOps tooling and automated incident resolution system.