The pMD Blog

Welcome to the
pMD Blog...

where we cover interesting and relevant news, insights, events, and more related to the health care industry and pMD. Most importantly, this blog is a fun, engaging way to learn about developments in an ever-changing field that is heavily influenced by technology.

We’re Serious About Security. But, You No Longer Have To Take Our Word For It.

In the health care landscape these days, security and data protection concerns are as common as thermometers and stethoscopes. As a health care technology company, data protection can’t just be on our “to do” list. It has to be in our company DNA. If it wasn’t, we’d never close a deal, and our potential clients - medical practices of all sizes - would run screaming in the opposite direction. And, we wouldn’t blame them!

At pMD, security has always been at the core of what we do. In fact, our original infrastructure was prefaced on the highest security standards established at the time - those of the financial industry. In our daily work lives, we understand the privilege of handling a person’s Protected Health Information (PHI) and demand a high level of respect and care from every team member. I often find myself hypothesizing, “What if this were my mother’s health information? How would I want it to be handled?” So, when a large potential customer asked us to perform an annual third party audit by an AICPA accredited firm, I gave an enthusiastic “yes!” To be completely honest, I had no idea what an audit really entailed. But, I knew doing so meant an unbiased third party would come in and gut check each of our decisions, while considering our specific business, goals, and culture. Yes, please!

So, here we are, almost two years after that initial audit request, with our first audit successfully completed, and our second one not far in the distance. What did we learn? Well, in a word ... lots. But here are a few big takeaways.

Audit standards vary.

Not all audits are the same, and the differences are largely driven by the standards used by the auditors. One of the most common groups of standards is the SOC standards. A SOC report provides an analysis of a service organization’s internal controls so that users can better understand the risks associated with sharing sensitive information with this external organization. There are three SOC reports - SOC 1, SOC 2 and SOC 3. Each one makes sense for different industries and company types. Then, within the reports themselves, there are different criteria. For example, within a SOC 2 report, there are criteria related to security, availability, processing integrity, confidentiality and privacy. At pMD, security was our top priority, and a SOC 2 audit made the most sense. So, we started with a SOC 2 covering the Security Trust Services Criteria, and will consider folding in new subject areas as we move forward.

There are also two different types of SOC reports, Type 1 and Type 2. That means a company could complete a Type 1 or Type 2 SOC 1, SOC 2, or SOC 3 audit. A Type 1 report assesses controls as of a point in time, whereas a Type 2 report assesses controls over a period of time, usually six to twelve months. For our first audit, we decided to complete a Type 1 and will build that effort into a Type 2 for our second audit.

In planning our audit, we also knew how important HIPAA compliance is to each and every one of our users. So, we also completed a HIPAA audit, where our auditor used the HIPAA requirements to assess whether our security controls are adequate to meet our HIPAA obligations. Knowing that security and HIPAA would be of the utmost importance to our customers, we prioritized both those sets of standards and hope to expand them in the future.

Be open, be honest, be organized.

In the months leading up to our audit, our team had quite a bit of jitters. It felt like someone was coming into our home, looking for dirt as they wiped their finger along each of our shelves. We knew we wanted the auditors to have a full view of what we were doing, but we were still nervous that our processes weren’t “good enough.” We handled these nerves by ensuring that we were as prepared as possible before our auditors arrived onsite, sending them all requested information well before they arrived to our office. We also made the conscious decision that this audit would only be helpful if we were up front and open about what our security processes really are. So, we were open and honest with our auditors, which brings me to our next point…

Let your auditors be collaborators.

Of course, an auditor inherently has to be objective and can’t advise a company on how to meet it’s security standards. But, at the same time, auditors have a wealth of experience and knowledge, and have seen hundreds of companies’ security configurations. So, if you’re working with a good audit firm, they’ll point out areas in which you could improve, and then offer various ways they’ve seen this security control addressed, including industry best practice. Auditors can offer invaluable insights, and this perspective really helped pMD maximize the value we received from completing our audit.

There’s no silver bullet.

Of course, completing an audit doesn’t mean that a company will never have a security problem - though I certainly wish it did! But, what it does mean, is that you can sleep better at night knowing that an objective third person finds your security systems reasonable. And, from a customer standpoint, it means you don’t have to simply trust us when we tell you that we prioritize your data’s security. The proof is in the pudding - the audit reports not only clearly outline our security protocols but, more importantly, the audit indicates a culture of security awareness. It’s proof that pMD is willing to invest a great deal of time and money to ensure that our security protocols are up to par. And that means that when you engage with pMD - a responsibility we don’t take lightly - you can sleep better at night, too.

Find out more about pMD's suite of products, which includes our MIPS registry, charge capture, secure messaging, clinical communication, care navigation, and clinically integrated network software and services, please contact pMD.

5G ACA Account Management ACI adoption Advancing Care Information AHCA AHRQ AI Alternative Payment Model Amazon S3 Android API Apple appointment reminders Artificial Intelligence arts Audit Bay Area BCRA Best Place to Work Best Practices Big Data bootcamp BPCI BPTW Bundled Payments Business relationships Care Communities care coordination Care Navigation Care Team Career Fair CDC Charge Capture Charge Capture App Charge Capture Software Charge Capture Solution Charge Capture Statistics Charge Lag CHIP CIO Clinical Communication clinical data Clinical Data Registry Clinically integrated network Cloud CMS cms regulations Collaboration Communication Company Culture Conferences Connected Health Record contact practice Coronavirus COVID-19 COVID19 Cross-functional culture custom reports Customer Interaction customer relations customer service customer success customer support Customers Cyber Security cybersecurity Developer DHHS Dialysis discharge instructions EHR elderly Electronic Charge Capture Encryption epidemic Expansion FDA FHIR Flu fundamentals GI GI Outlook Goals group messaging Health Care Health Care Technology Health Care Web health data Health Information Exchange Health Record Healthcare healthcare interface healthcare interface integration healthcare software HIE HIPAA hipaa compliant communication hipaa compliant communication platform HIPAA-Compliant HL7 Home dialysis Hospital Census Hospital Communication humanity IA ICD-10 ICD-11 Implementation Improvement Activities in-app calling Instant capture Integration interface interoperability iOS iOS 8 iOS7 iPad iPhone iPhone 6 Lead Generation length of stay Long Term Care LTC Machine learning MACRA Medaxiom Medical Billing Medical Errors Medical Software Medicare Mental Health Mentorship Messaging Messaging with Patients MGMA MIPS MIPS Registry mobile Mobile App Mobile Charge Capture Mobile EHR Mobile Health Mobile Messaging Mobile security Mobile Technology Modern Healthcare Native App Network new feature new features news NIH OCM onboarding Oncology Care Model operations opioid crisis Pandemic Parenting partnerships Patient Patient access Patient App Patient Care Patient Chat Patient chat routers Patient Communication patient data Patient Engagement patient experience Patient Generated Health Data Patient Handoff Software Patient Information Patient Messaging Patient Safety patient support Patient Visits Patient-Centric PCP Performance bonus pmd pMD Team population health Population Health Management PQRS Product Development Productivity products Promoting Interoperability QCDR QPP quality reporting Quality Scoring Recruiting Recruitment Reimbursement remote jobs Remote Work reports Residents Responsibility ROI Rural communities Sales Secure Communication Secure Data Secure Messaging Secure Messaging Video Secure Text Messaging Secure Video Secure Video Chat Security Audit self care seniors SF Biz Times SNF SOC 2 software vendor Specialty Care success support TCM Team culture Teamwork technology telehealth Telemedicine telemedicine in long term care Telemedicine skilled nursing facilities Teletherapy Text Messaging texting training Travel Upgrades UX Design VA Value-based care Video Calling Video chat video communication video conferencing Virtual Care Virtual Visit voice calling voice memos Wearable Device wearing many hats Web App wellness wfh Wireless Work From Home Work Life Balance