How Secure is your Contact Center System
By: Jake Johnson, Chief Information Officer, LVM Systems, Inc.
With the sophistication of the new age hacker, including nation-state hackers, and constant attacks trying to get patient data, how do you ensure your contact center systems are secure? Security is a shared responsibility between all parties providing software services for the contact center. Your organization must implement security controls for your local systems. It is also equally crucial that your vendor implements appropriate security controls for their organization to ensure the software and support you receive follow current security guidelines. If your vendor hosts your software services, there are additional security responsibilities your vendor should implement along with the cloud provider that hosts your system.
Your software vendors must have a robust security posture. Many healthcare facilities now require vendors to complete a thorough security assessment to gauge vendor security readiness. Vendors can also have third-party auditors complete security certifications that test and confirm the robustness of the vendor’s security controls. In addition to your vendor’s certification, the cloud provider that hosts your system must also be accredited.
LVM Systems has invested heavily into its security posture, above and beyond what most contact center solution providers do, including investing in a third-party security audit. LVM successfully completed a 2022 System and Organization Controls (SOC®) 2 Type 2 with HITRUST mappings examination. This audit affirms practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, processing integrity, and confidentiality.
Completing the examination clearly indicates LVM Systems’ commitment to security and integrity as a healthcare contact center vendor. In addition, the examination assures the suitability of the design of LVM’s security controls. Many other contact center solution providers do not invest as heavily in security and may be putting your data at risk. Here are some examples of how LVM assists contact centers in security and how you can gauge your service provider.
Secure Software Development
Do developers of your contact center software have the experience, training, and certifications to ensure they are using development and security best practices? LVM Development teams are trained and obtain certifications in secure hosting methodologies, secure software development lifecycles, and secure coding principles.
Development processes include rigorous quality assurance (QA) reviews to ensure processing integrity within LVM’s software. LVM utilizes automated testing tools, manual test scripts, and data comparison tools to test all areas of code before release. QA also tests our systems with the latest operating system patches to ensure compatibility. In addition to internal testing, LVM contracts with a third-party security organization to perform penetration tests. These penetration tests utilize security experts who expose any flaws in the software by ethically trying to “hack” or break the software.
Many software vendors use third-party components and open-source code, which adds complexity for vendors to ensure code written by outside sources is also secure. Therefore, in addition to highly skilled developers, LVM also utilizes third-party security code analyzers to review not only LVM software code for vulnerabilities or coding flaws but also any third-party or open-source code. This testing ensures the products delivered to clients have undergone a rigorous security code review by both LVM developers and third-party security professionals.
If your vendor does not utilize third parties for penetration testing and code analysis, they may be putting their applications at risk.
Secure Employees and Processes
The most significant risk in any organization is its employees. Organizations must protect against weak passwords, malicious intent, securing against malicious websites or phishing emails that could cause malware or ransomware attacks. Weak security can put the organization and its clients at risk. Many of the SOC/HITRUST controls test against these areas. In addition, many organizations will create in-house policies and procedures based on their experience. LVM also did this, but to enhance and confirm these, LVM contracted with two different HIPAA/HITRUST consulting teams to ensure LVM’s policies and procedures are robust and meet industry standards.
LVM also has a security team that includes a security officer, a compliance officer, and an incident response team to ensure LVM is up to date with current security best practices and that LVM is complying with its security policies and procedures. In addition, this team performs annual risk assessments to evaluate every aspect of the organization for improvement opportunities and to ensure policies, procedures, and processes are followed, completed on time, and aligned with current regulatory requirements.
Before hiring, LVM performs background checks on all employees. Once hired, new employees must review and sign the LVM security agreement, ensuring employees maintain a high level of security integrity. In addition, before working with LVM systems or processes, new employees must receive mandatory security training. Each employee also receives quarterly security training to ensure they understand LVM security policies and procedures and are vigilant on any new security threats. The LVM security team and third-party security consultants have developed the training content.
Secure Infrastructure Controls
The vendor must ensure that client data is protected when a vendor comes in contact with it, whether it’s an email screenshot or a report containing client data during a support incident or in a vendor- hosted application. Having third-party tools and audits can give you confidence that your vendor is doing all they can to follow compliance regulations. Without a third-party confirmation, your vendor may inadvertently expose your data. If your vendor hosts your applications, they must use a trusted cloud provider. Most vendors will use a secure cloud provider and may feel that the cloud provider’s audit and certifications are sufficient. However, this is false. A cloud provider is only partly responsible for the system’s security in this “shared security” model. The cloud provider ensures the facilities and equipment are secure, but it is up to the vendor to ensure the data and applications are secure. For example, if the vendor implements a weak login method, it is the vendor’s compliance that comes into question, not the data center’s. Consequently, vendors must obtain their own security audits in addition to the ones offered by the cloud provider.
For hosted solutions, LVM utilizes Microsoft Azure as the preferred cloud provider. Microsoft Azure has a security team of over 3500 members, over 90 security certifications, and has invested over $1 billion in security R&D to ensure client systems and data are protected. Encryption standards are implemented to ensure all data in transit and at rest are secure, including disk encryption, database encryption, and encryption in transit. LVM follows Microsoft Azure’s compliance blueprint to ensure proper configuration of resources to follow best practices in the shared responsibility model. Microsoft Azure also provides robust disaster recovery and redundancy options for high availability. Besides relying on Microsoft Azure for compliance, LVM felt it was an industry security duty also to complete a third-party audit to confirm compliance.
LVM performs penetration testing, vulnerability scans, and monitors for network anomalies through a security information and event management system. System monitoring ensures systems are running smoothly, but if not, appropriate LVM resources are notified when anomalies are detected. These tools are essential to run in any hosted environment and on the vendor’s local resources to protect the vendor’s resources and the hosted resources from nefarious activity. Hosted facilities typically offer disaster recovery options, but this is also an essential option for local resources for vendors to continue to provide uninterrupted service to clients, whether vendor-hosted or self-hosted. Another vital protection mechanism is encryption. Are all disks encrypted that could receive client data, including employee workstations that may get an email screenshot from the client? Is data at rest and in transit encrypted? LVM utilizes SQL Server Transparent Data Encryption (TDE) to encrypt data at rest, BitLocker for local employee machines, and TLS 1.2 encryption for data in transit.
The controls discussed above are in no way a comprehensive list but are an excellent beginning to explain some of the best practices for securing a call center system.
LVM has created a robust security posture by capitalizing on resources from third-party HIPAA/HITRUST consultants, third-party code scanning tools, and third-party auditors, including a complete SOC2 Type 2 with HITRUST mappings security audit, third-party vulnerability scanning, and penetration testing. With these controls, LVM has invested heavily in securing client data and infrastructure. So the question is, do you trust your controls and vendor controls or confirm these security controls with third-party tools and auditors? If your answer to these questions is no, it’s time you consider LVM Systems.