Q&A with Availity CISO Mike Green: Part 2

Availity’s unwavering commitment to security is backed by a comprehensive compliance program. This proactive approach to cyber-defense, threat detection, and mitigation ensures that we both protect and respond quickly, even in the event of a failure or downtime. Part two of our Q&A series with Mike Green, Chief Information Security Officer at Availity, provides an overview of this overarching security posture, details why redundancy and resiliency are a central pillar of Availity’s strategy, and offers advice for healthcare organizations looking to strengthen their security protocols, mitigate risks, and proactively identify vulnerabilities before they are exploited. (Want to learn more? Read part one.)

Q: How would you describe Availity’s security posture?

A: At Availity, we are continually evaluating and integrating additional technologies to strengthen our defense-in-depth strategy. This approach means that we have multiple layers of security to identify and mitigate attacks or detect data exfiltration. To take this concept a step further, we incorporate multiple vendors to ensure robust protection. For example, our endpoints are secured by two different solutions, providing two entirely separate Endpoint Detection and Response (EDR) systems. This dual approach is uncommon, as most companies typically rely on a single EDR solution—if they have one at all. The teams of two distinct security operations, one managed by Mandiant and another by our in-house full-time security team, monitor the data from these systems.

Our multi-layered approach extends to other critical areas, such as web and email filtering. For example, if a malicious email slips through, filtering should catch it. But if someone clicks on the link, deployed technologies add another layer of protection by analyzing outgoing traffic. This dual-layer system ensures comprehensive coverage for potential vulnerabilities.

Additionally, we use multiple third-party risk evaluation tools that actively monitor our network, systems, and security posture for potential threats. This includes such items as expired SSL certificates, improper HTTP headers, or compromised credentials appearing on the dark web. Initially, we had two organizations performing this monitoring; however, following the Change Healthcare incident, we added a third. Each organization’s different models and methodologies provide a diverse and comprehensive assessment of our security landscape.

Q: How does Availity’s migration to a cloud deployed model improve your infrastructure’s scalability and resilience? How do your data centers and cloud-based escrow models contribute to your disaster recovery strategy?

A: Availity’s migration to a cloud-deployed model significantly enhanced our infrastructure’s scalability and resiliency. By leveraging the principles of Infrastructure as Code (IaC), we automate and manage the provisioning of new servers and resources through configuration files instead of physical servers. For instance, if we need a new server, we simply send a configuration file to AWS, and AWS builds and deploys the server on demand. This approach eliminates the need for physical hardware and reduces the time needed for provisioning and scaling, allowing us to recover quickly and efficiently.

Q: What are a few best practices you recommend?

A: Adopting the following best practices can help strengthen security posture, mitigate risks associated with user access, and proactively identify vulnerabilities before they are exploited.

• Effective User Management and Access Control: One of the most common challenges as a SaaS vendor is organizations with poor user base management. For example, organizations often fail to promptly remove access for ex-employees, which can create significant security risks. To mitigate this, we strongly recommend that adoption of Single Sign-On (SSO) solutions. With SSO, users have a single set of login credentials for all company applications. This ensures that when an employee leaves and their primary account is deactivated, their access is automatically revoked across all systems and applications, reducing the risk of unauthorized access.

• Comprehensive Internal and External Risk Assessment: While many companies focus on managing third-party risk, they often overlook the need for scrutiny of their internal systems. It is crucial to have a holistic view of your environment from an external perspective. Regularly utilizing third-party risk management tools to assess your own organization can help identify vulnerabilities that may not be obvious.

• Annual In-Depth Red Team Assessments: Be sure to conduct breach simulations to identify potential security gaps. These assessments go beyond simple vulnerability scans or surface-level penetration tests. They involve skilled testers attempting to breach your environment using multiple tactics, techniques, and procedures (TTPs). This includes limited initial access to see how far they can penetrate systems—a scenario known as “assumed breach.” This approach helps organizations understand the extent of potential damage if attackers were to bypass the first line of defense.

No security program is foolproof. However, Availity’s security posture is built on a foundation of redundancy, proactive threat detection, and continuous improvement. The best practice is to leverage advanced technologies, multiple layers of defense, and geographically segmented infrastructure. This ensures both resilience and rapid recovery, safeguarding critical healthcare data and operations. To gain more insight on the topic, read the first installment of this Q&A series here.

About Availity’s CISO

As the Chief Information Security Officer at Availity, Mike leads robust security strategies and policies that align with Availity’s mission to facilitate secure and efficient healthcare data exchange. Recently, Mike played a pivotal role in developing proposed regulations presented to Congress, aimed at enhancing the cybersecurity posture of clearinghouses and strengthening the resilience of our healthcare infrastructure against cyberthreats. His efforts are instrumental in advancing national security measures and safeguarding sensitive healthcare data from emerging threats.