Senior Manager
IRCM, Inc.
iRCM, Inc.’s Senior Compliance Manager knows a thing or two about keeping healthcare data safe and sound. With nearly a decade of compliance experience at iRCM, a powerhouse in healthcare revenue cycle management, he's seen firsthand the critical importance of airtight security measures.
In our candid conversation, the manager pulled back the curtain on iRCM's journey to fortify their data defenses. He revealed how partnering with Virtru has been a game-changer, unlocking three key benefits that have revolutionized the way iRCM handles sensitive information. Let's dive in and discover the secrets to their success.
In healthcare, protecting sensitive patient information is not just a legal obligation—it's a sacred trust. iRCM sends a massive amount of sensitive emails and files internally and externally; information like patient names, insurance information, diagnosis information, medical charts, etc. is needed in various business units to maintain operations.
With a long history in the healthcare industry and expertise in HIPAA compliance, iRCM’s manager had a clear understanding of security needs relating to this data exchange. iRCM used SendSafely and protected Dropboxes to share encrypted information securely; but the COVID-19 pandemic unveiled a key aspect of security they were missing: efficiency.
“There are no days off for healthcare workers. There are no days off for us,” said the manager. “We had to put on our A game, and deal with the increased volume we were dealing with for the healthcare providers.”
SendSafely proved to be cumbersome for iRCM employees, and incompatible with their clients. Users often had data restrictions due to their huge volume of communication. They’d often reach send limits and were forced to restart, or wait 24 hours to reset.
“Try to test SendSafely on an iPhone. It gives you a lot of trouble. Not only do you have to go through holes and hoops for SendSafely itself, but there are certain securities you must change in your phone setup, which is troublesome,” explained the manager. “I understand some of these healthcare providers are not tech savvy, so they’re very reluctant to change the settings, especially for mobile devices which can impact their day-to-day communications.”
They meticulously evaluated a spectrum of options, including ProtonMail, Hushmail, and Cloudflare, but Virtru emerged as the clear frontrunner with its tailored solution and seamless integration with Google Workspace.
HIPAA compliance is always at the top of the list for iRCM’s compliance team when choosing an encrypted data-sharing solution. Coming in at a close second was ease of use. After the switch to Virtru, the improvement was clear.
He highlights, "Having a solution which can incorporate in your day-to-day emailing, and day-to-day file sharing process flow is really helpful and, to be honest, one of the most efficient approaches in taking your communication toward a more HIPAA compliant and secure manner.”
iRCM uses Virtru for Gmail to communicate internally and externally when employees need to send sensitive PHI information outside of its perimeter, to providers or insurance companies. In one click, an iRCM employee can cover their email containing PHI with military-grade encryption. Admins like it because the central dashboard to monitor Virtru communications is simple and easy to navigate – a win-win for everyone.
“[Previous] workarounds were really costly in terms of time and resources. On a daily basis, you had to go through thousands of emails,” he explained. “Now an employee cannot use any excuse [to not encrypt].”
With Virtru, the external collaborators face much less friction when opening a communication from iRCM, some even offering to switch to Virtru because of the positive user experience.
Before Secure Share, iRCM attempted to use secure workarounds like sharing though dropboxes or other cumbersome secure links. This was an issue especially when it came to sharing externally - and given their massive volume of file-sharing on the day-to-day, it proved to be more trouble than it was worth.
“We used to use a DropBox as a two-way platform in terms of sharing data in a secure manner. But it was never user friendly or compatible with our clients. When we were communicating across different organizations, that always presented a little bit difficult.”
Now, iRCM also uses Secure Share to primarily send sensitive patient reports to providers - and the test of time has proven positive. With a simple secure link, clients can authenticate using their existing credentials, and access the files that they need. iRCM employees can have eyes on that data at all times, knowing when something has been accessed, and having control over download capabilities.
By embracing Virtru, the company has taken a leap toward ensuring HIPAA compliance and secure data sharing. The manager emphasizes, "The step towards Virtru – especially having all of our employees covered under secure and HIPAA-compliant data sharing – was a necessary step."
The company is also setting its sights on additional certifications such as ISO, ISM, and High Trust, further showcasing their dedication to compliance and data security.
Zero Trust security focuses appropriately on perimeter “defense” against hackers. But as we’re learning with a slew of public data breaches (like Microsoft or Change Healthcare), many practitioners overlook the need for “offensive” data-centric controls to maintain privacy and ownership when sharing data externally with partners.
iRCM recognizes this imbalance in the industry too, which is why they’ve taken a proactive stance on data security – exemplifying what we call “playing offense.” The manager ensures that all employees at iRCM are covered with a Virtru license to make sure that every piece of data is protected in every instance. He even extends domains to partners that communicate with iRCM the most.
“Having all of our employees covered under secure and HIPAA-compliant data sharing was necessary. If someone thinks they can stay safe and still avoid breaches (without HIPAA-compliant communications,) even if it is an internal communication, it is not compliant. Whether it is an internal or external email… if it contains PHI and is not protected, it can be cause for a breach.”
Through their strategic partnership with Virtru, iRCM has demonstrated their unwavering commitment to fortifying sensitive patient information while streamlining their daily operations. As more organizations follow in their footsteps, the healthcare industry can collectively spearhead impenetrable defense against data breaches and preserve the sacred trust of the patients they serve.