For healthcare startups with small security teams, it’s a constant battle to wrangle in and secure protected health information (PHI). Instead of going it alone, Will Butler and his tech ops team from Equip Health made data-centric security a company-wide effort for its fully remote teams.
In our latest webinar, Virtru’s Andrew Lynch sat down with Butler to learn more about Equip’s multi-layered approach to a security-first culture. Here’s what we learned.
For the full conversation, watch the webinar for free by following the link below. Continue scrolling for the written recap.
Founded in 2019, Equip is a platform that offers virtual treatment for young people with eating disorders. It connects patients and their families with a team of specialized providers who help them recover in their own environment and routine.
Equip’s services are fully remote, and so is the entirety of the Equip team. This puts major responsibility on the entire organization to maintain HIPAA compliance in their digital communications. Sensitive PHI often related to children must remain secure at rest and en route to providers, schools, patients, insurance, Equip employees, and back.
”We want to make sure anytime clients see their data or transmission of their data, that we’re using secure methods to keep it safe,” said Will Butler, Director of Technical Operations at Equip. “We want patients to know we value their data and we’re not sharing it with anyone outside of who needs to see it to help them with their treatment. It's an important piece of what Equip is doing.”
Since its beginnings, Equip has had a handle on these communications. But as with every start-up, major growth forced its Tech Ops department to scale its security strategy accordingly.
The Tech Ops team handles vendor management, in-house product support, and data security at all levels for Equip’s now 400 employees. It’s a lot to shoulder - but for Butler, the only way to succeed was to cultivate a culture of putting the safety of the data first. Here’s how he did it.
The Equip tech ops team makes a habit out of understanding the needs of departments that deal in PHI, so they can comprehensively deliver the tools, strategies, and processes required to meet HIPAA regulations and protect PHI.
“[Various departments] give us their functional needs,” said Butler, “Then we work on defining what their technical needs are, and making sure that we have all of these processes documented out so they’re efficient [and] they’re secure.”
While they can’t synthesize every detail, they do their best to get a high-level understanding of risks and pain points. That sometimes includes listening to feedback from other Equip employees, and applying it where necessary.
"If there is any wiggle room in our policies, we always do take that feedback and we try to make it as easy as possible for our users,” said Butler. “The easier it is to follow a policy or procedure, the more likely they are to be compliant.”
Easy is the keyword there. People have jobs to do after all, and for Butler, striking a balance between security and smooth workflows is an absolute must.
“Our number one priority is data security. But also we are serving patients and we are serving families. So we don't want to limit [employees’] ability to do their job and be successful in it.”
Butler and his team spearhead a robust security training program that includes a dedicated instructional team, comprehensive onboarding, frequent lunch-and-learns, annual training, and more. It’s important for him and his team to be completely accommodating, and address potential security threats before they occur.
Part of that accommodation means taking skill level and past experience into account, Lynch and Butler both agreed.
“Companies are made up of all different types of employees,” said Lynch. “Some can be very technical like developers, sometimes some can be less technical, perhaps maybe a salesperson. And when you're thinking about how you're going to develop a security strategy, that's obviously important to take into account.”
Butler and his team take that to heart, especially for “repeat offenders” who make multiple mistakes.
“If we do have a multiple-offender, it's more about training and education. I'm not trying to belittle any of our employees … I want to make sure that they feel comfortable in their workspace and Virtru, G-suite, and all the other things that we have in place. That's their workspace.”
The Equip Tech Ops department also champions an open-door policy for anyone needing to ask questions, receive help, or give feedback. When they roll out a new tool or process, Butler makes a point to meet with each department for a walk-through. Their goal is to make the “why” clearer on all aspects of their security strategy, to give a better understanding of the tools and methods, along with getting buy-in.
“We really want to make it very easy for people to understand why we're doing something,” said Butler. “We do attend a lot of team meetings right now and that does help us improve the receptiveness of our employees understanding our policies, and wanting to follow them to make [Tech Ops’] lives easier.“
Friction-filled processes and complex tools notoriously work against IT and tech teams. What works even less is when simple security isn’t made readily available to the entire team. When it came to finding an email encryption solution, the Equip Tech Ops team went with Virtru which allowed them to deploy company-wide.
“At first, we were keeping our license count very low… Our Tech Ops team was constantly getting requests for an email encryption tool. So we wanted to look for something that was a little more organization-wide,” Butler said. “With Virtru I don't have to worry about tickets coming in of someone needing a license… It's kind of my insurance coverage that we have here. I can sleep at night knowing that Virtru is in control of our data security when it comes to email encryption.”
A major part of getting employees on board means weaving security into the fabric of their processes - one way is through integrations. Virtru as an example integrates into Equip’s Google Suite and was a light lift for Tech Ops. This saved time and allowed a quick and smooth transition for the team.
“We gave them the Virtru app in their G-Suite so that they can quickly toggle on or off a message that whether or not needs to be secure. So we've given them multiple tools and made it really easy for them, and then educated them or when they need to use those tools.”
It’s not only the employees who need to use tools. It’s the clients, too. Butler uses Virtru and other simple security tools to elegantly and securely keep workflows moving, so clients can receive the services they need and trust that their data is protected along the way.
“Our customers have eating disorders, it's a very difficult time for these families. They're going through a battle and we're trying to give them all the support they need to get through that,” said Butler. “We don't want any technical impact in their journey with Equip.”
You can dive deeper into this conversation between Virtru and Equip by watching the full webinar on demand, where Butler and Lynch cover HIPAA, PHI breaches, and more.
Contact us to learn more about our partnership opportunities.