Application Integration – An Anxiety Story
Note: The following scenario happens more often than you think. I recently had two companies engage me because they were both stuck in eerily similar situations.
Your project team decided that you need a mobile app for end users to better engage with your core healthcare offering. After all, nobody wants to log into a portal any more, right? So you did all the right things. You spoke with all the key stakeholders, outlined the app functionality, engaged a UX designer, and the project is well underway. The wireframes look great, and an early Proof of Concept demonstration has your executive team all excited.
But as the team starts to work on some of the ancillary functions, someone inevitably hits upon the big “Uh-oh.” You all forgot to take into account that the integrated messaging transports Protected Health Information (PHI), which is subject to comply with HIPAA, and must be encrypted end-to-end. For discussion sake, “messaging” here isn’t referring to texting or other functions you can get from services like Twilio, I’m talking about ways to contact customer service, send notifications, transfer files and deliver emails in full compliance with HIPAA privacy and security rules.
You had planned on just relaying the end users’ email and messages in the clear. Why not? They already authenticated when they logged in. Isn’t that secure enough? Umm… no, it’s not. Most developers focus their security attention on their core platform and application integration. That’s good. But when health data leaves your app to connect with the next hop, that’s when it’s vulnerable and more often than not, out of compliance.
Soon, “that sinking feeling” zaps all the energy out of the project. And now the problems are multiplying. The slick new cloud-based help desk platform – the one that is going to manage all of the incoming messages from the app to your support reps – the one that the company just shelled out $300K to support the new app users – the one you advocated for – yeah, that one – well, you can’t use it now because there’s no way to the encrypt PHI included in the messages being sent from the app to the platform and back again.
Time to think of alternatives. 1) Pout for another week over the fact that a minor detail that isn’t really your fault is stealing all the momentum from your project. Wait – you’re already doing that and it’s not helping. Gotta think harder. 2) Make a call to an outsourced overseas dev shop to code a workaround. Their estimate is around $100K and will delay the project by four months. That won’t work. 3) Go live with the project and hope no one notices or that we don’t get selected for a HIPAA audit. Can you say, “Career ending move?”
Just when you think the project is doomed, you hear about a godsend solution, DataMotion, which automatically brings messages containing PHI and other sensitive information into compliance. It’s cloud based and affordable, and proven easy to integrate.
You’re thinking that it can’t be that easy, so you hand it off to the development team to test it out. Guess what, in just 15 hours they built a fully-functioning proof of concept that handles application integration using RESTful APIs on one half of the workflow, and seamlessly connects with the new help desk platform on the other. Your Security and Compliance teams check it out and the PHI message flow is indeed encrypted and HIPAA compliant round trip from the customer to the service rep and back again. Hope invades despair, and awesomeness is back on today’s menu.
Final note: If this reads like a product endorsement, well, it unapologetically is. DataMotion has literally rescued projects that were stuck or in danger of tanking, and the project leads couldn’t believe how easy it was to integrate. We’re proud of that, and happy to tell these stories.