Q&A with Availity CISO Mike Green: Part 2

Availity’s unwavering commitment to security is backed by a comprehensive compliance program and a proactive approach to cyber-defense, threat detection, and mitigation, ensuring that we can both protect and respond quickly, even in the event of a failure or downtime. Part two of our Q&A series with Mike Green, Chief Information Security Officer at Availity, provides an overview of this overarching security posture, details why redundancy and resiliency are a central pillar of Availity’s strategy, and offers advice for healthcare organizations looking to strengthen their security protocols, mitigate risks, and proactively identify vulnerabilities before they are exploited. (Want to learn more? Read part one.)

Q: How would you describe Availity’s security posture?

A: At Availity, we are continually evaluating and integrating additional technologies to strengthen our defense-in-depth strategy. This approach means that we have multiple layers of security to identify and mitigate attacks or detect data exfiltration. To take this concept a step further, we incorporate multiple vendors at critical points to ensure robust protection and redundancy. For example, our endpoints are secured by two different solutions, providing two entirely separate Endpoint Detection and Response (EDR) systems. This dual approach is uncommon, as most companies typically rely on a single EDR solution—if they have one at all. The data from these systems is monitored by two distinct security operations teams: one managed by Mandiant and another by our in-house full-time security team.

Our multi-layered approach extends beyond endpoints to other critical areas, such as web and email filtering. For example, if a malicious email with a harmful link slip through, our email filtering should catch it. But if someone clicks on the link, deployed technologies add another layer of protection by analyzing outgoing traffic. This dual-layer system ensures comprehensive coverage for potential vulnerabilities.

Additionally, we use multiple third-party risk evaluation tools that actively monitor our network, systems, and security posture for potential threats—such as expired SSL certificates, improper HTTP headers, or compromised credentials appearing on the dark web. Initially, we had two organizations performing this monitoring; however, following the Change Healthcare incident, we added a third. Each organization employs different models and methodologies, providing a diverse and comprehensive assessment of our security landscape.

Q: How does Availity’s migration to a cloud deployed model improve your infrastructure’s scalability and resilience? How do your geographically segmented data centers and cloud-based escrow models contribute to your disaster recovery strategy?

A: Availity’s migration to a cloud-deployed model has significantly enhanced our infrastructure’s scalability and resiliency by leveraging the principles of Infrastructure as Code (IaC). With IaC, provisioning new servers and resources is automated and managed through configuration files, rather than manually setting up physical servers. For instance, if we need a new server, we simply send a configuration file to AWS, and the server is built and deployed on-demand, fully configured and ready to use. This approach eliminates the need for physical hardware and reduces the time needed for provisioning and scaling, allowing us to recover quickly and efficiently.

Q: What are a few best practices you recommend?

A: Adopting the following best practices can help healthcare organizations significantly strengthen their security posture, mitigate risks associated with user access, and proactively identify vulnerabilities before they are exploited.

• Effective User Management and Access Control: One of the most common challenges we see as a SaaS vendor is organizations with poor management of their user base. For example, when it comes to offboarding employees, organizations often fail to promptly remove access for ex-employees, which can create significant security risks. To mitigate this, we strongly recommend that adoption of Single Sign-On (SSO) solutions organizations across the healthcare industry, just like what we have implemented at Availity. With SSO, users have a single set of login credentials for all company applications. This ensures that when an employee leaves and their primary account is deactivated, their access is automatically revoked across all systems and applications, reducing the risk of unauthorized access.

• Comprehensive Internal and External Risk Assessment: While many companies already focus on managing third-party risk, they often overlook the need for a similar level of scrutiny for their internal systems. It is crucial to have a holistic view of your environment from an external perspective, just as you would for third-party vendors. Regularly utilizing third-party risk management tools to assess your own organization can help identify vulnerabilities that may not be apparent internally.

• Annual In-Depth Red Team Assessments: We also highly recommend conducting thorough annual Red Team assessments or risk/breach simulations to identify potential security gaps. These assessments go beyond simple vulnerability scans or surface-level penetration tests. They involve skilled testers attempting to breach your environment using multiple tactics, techniques, and procedures (TTPs). This includes giving them limited initial access to see how far they can penetrate your systems—a scenario known as “assumed breach.” Such an approach helps organizations understand the extent of potential damage if an attacker were to bypass the first line of defense, and it provides invaluable insights into areas that need strengthening.

While no security program is foolproof, Availity’s security posture is built on a foundation of redundancy, proactive threat detection, and continuous improvement. By leveraging advanced technologies, multiple layers of defense, and geographically segmented infrastructure, Availity ensures both resilience and rapid recovery, safeguarding critical healthcare data and operations. To gain more insight on the topic, read the first installment of this Q&A series here.

About Availity’s CISO

As the Chief Information Security Officer at Availity, Mike leads the creation and implementation of robust security strategies and policies that align with Availity’s mission to facilitate secure and efficient healthcare data exchange. Recently, Mike played a pivotal role in developing proposed regulations presented to Congress, aimed at enhancing the cybersecurity posture of clearinghouses and strengthening the resilience of our healthcare infrastructure against cyberthreats. His efforts are instrumental in advancing national security measures and safeguarding sensitive healthcare data from emerging threats.