Interoperability in healthcare has become increasingly challenging and crucial as organizations continue to adopt new technologies and transfer data across a growing number of sources, with a lack of a centralized method of communication.
Traditional methods to achieve this exchange and synthesis of health data are costly and time consuming. Not all stakeholders collecting health data use the same methods of communication, vendors, and protocols—leaving some organizations unable to communicate with others completely, while others must pay per connection. Ensuring data is secure and meets regulatory requirements is another interoperability challenge, as some organizations may not be governed by the same regulations and standards as those with which they are communicating.
RosettaHealth is a healthcare technology company revolutionizing health data exchange through interoperability. Its SaaS-based data transport platform, HealthBus, normalizes and transports health events and records (EHRs) at scale across a variety of organizations such as hospitals, HIEs, and urgent and acute care systems. The platform allows for health data exchange over wide geographic areas at a fraction of the cost and effort of traditional methods.
The Electronic Healthcare Network Accreditation Commission (EHNAC) was established to develop standard criteria and accredit organizations that electronically exchange healthcare data, and it is one of the governing mechanisms RosettaHealth has to go through in order to operate its platform. Initially, RosettaHealth hosted its platform in an on-premises data center due to EHNAC requiring an on-site visit as part of its accreditation assessment. However, the RosettaHealth team moved to AWS in 2018 once the cloud platform began permitting these visits.
On AWS, the RosettaHealth team leverages services such as EC2, S3, and RDS, as well as Lambda. Because their customers need to be able to transport data through the HealthBus platform with zero downtime, every single day, capacity planning can be difficult. Implementing serverless through Lambda allows the team a high degree of scalability, so they no longer need to estimate server usage and can come up with solutions more tailored to their customers. Prior to using the AWS cloud, RosettaHealth was managing security and compliance on their own—but as the number of customers on their platform grew, they looked to bring in a partner. A team of seven individuals, most with backgrounds in IT, RosettaHealth needed to find a partner that could not only manage the security and compliance of their platform, but also augment their team from an AWS expertise and engineering standpoint. Shortly after hosting their platform on AWS, RosettaHealth began researching partners.
The RosettaHealth team was introduced to ClearDATA in 2018 at the Healthcare Information and Management Systems Society (HIMSS) Conference. ClearDATA stood out among other companies RosettaHealth researched in part due to their HITRUST certification. “By saying that we are in a HITRUST certified environment managed by ClearDATA, that gives our customers an extra warm and fuzzy,” says Kevin Puscas, RosettaHealth Chief Technology Officer. It is crucial for RosettaHealth to be able to prove the security of their environment to not only their customers, such as large HIEs, but also to their customers’ customers, such as acute and ambulatory care organizations, which are traditionally risk averse when it comes to transporting PHI.
RosettaHealth also values the healthcare expertise and familiarity with regulations outside of HIPAA that ClearDATA offers. According to Puscas, “ClearDATA was familiar with EHNAC and had helped other customers go through EHNAC audits, so being able to have a partner in that process was a tipping point for our team.” RosettaHealth uses the ClearDATA Comply™ Compliance Dashboard reports for their upcoming EHNAC audits, reducing the amount of time it would take to pull together the necessary evidence on their own.
Additionally, their team can focus on core strategic initiatives and innovating on their platform while Comply software enforces compliance through automation of technical controls mapped to HIPAA standards via automated safeguards. “ClearDATA is the force multiplier. We are saving money by not having to hire half a dozen AWS engineers, and we wouldn’t be able to run the business model that we currently run.” says Puscas.
EHNAC has aligned their accreditation with some requirements of HIPAA, including a yearly HIPAA Security Risk Assessment. RosettaHealth is in the middle of conducting a Security Risk Assessment (SRA) with ClearDATA, using ClearDATA Assess® software. The price of the SRA through Assess, their relationship with the ClearDATA team, and the ability to leverage Comply to complete the SRA, all served as factors that influenced their decision to conduct the SRA through ClearDATA.
RosettaHealth Impact & Future Plans
As RosettaHealth continues to grow and scale with the current size of their team, ensuring security of sensitive data becomes increasingly crucial to the operation of their business. Their team will continue to rely on ClearDATA for both security and compliance, as well as the AWS expertise needed in order to adopt more services and understand ways to better utilize those services.
Currently, the RosettaHealth platform is “headless” – meaning that most customers interact with the platform through API calls. One of RosettaHealth’s priorities for the near future is to move from a black box to be more transparent and enable customers to do more within their platform, such as gain the ability to directly monitor traffic flows, see route configurations, etc. The team is exploring using services such as CloudWatch and Cognito to improve their customer experience, and it is crucial that the platform maintain tight security and compliance with their customers’ increase in visibility of the platform and their data.
RosettaHealth also plans to go through their own HITRUST certification in the near future, as HITRUST has become increasingly necessary in their line of business. Their team plans to explore ClearDATA HITRUST Inheritance for controls covered through the inheritance program, to be able to achieve the certification in a timely manner.