by Jackson Mills
Trust is at the foundation of any successful Human Performance program. Athletes, warfighters, and public safety personnel must believe the people and systems in place are working in their best interests. High performance practitioners also rely on the integrity and availability of the data in their systems to do their jobs effectively.
When a security breach occurs, or the integrity of your data is compromised, trust can quickly erode. More importantly, people’s lives can be significantly impacted. Once private data is exposed, it can land in the hands of malicious actors who use this data for personal and financial gain. The consequences can be severe.
Due to the sensitive nature of personal information, it’s critical to take data privacy and security seriously when evaluating a Human Performance Platform (HPP) that will include your AMS and/or EMR system. As the technology solution at the core of your program, your HPP must integrate security into its design, development, maintenance, and evolution from top to bottom.
While it may be tempting to let your IT team worry about security, as a leader in your organization, trust starts with you. Building a simple degree of “security literacy” is vitally important when developing a shortlist of HPP vendors. Not only does it signal to your team that their privacy matters to you, it also mitigates the amount of due diligence IT will need to do when shortlisting a HPP vendor.
Below, we explore five key security factors for Human Performance leaders to consider when evaluating a Human Performance Platform.
Data privacy focuses on the use and management of personal data. Your Human Performance Platform, regardless of size, contains sensitive personal data on the people you serve and the practitioners using the system.
Your organization is responsible for the personally identifiable data stored in a HPP, such as physical health data, mental health data, emotional performance data and medical health records. Failure to handle this data correctly can damage your reputation, affect your financial position and operational activities, and can carry significant penalties from local and global governing bodies.
When evaluating a HPP vendor, data privacy should be at the top of the list. Here are some questions to ask a potential HPP vendor when assessing their commitment to privacy:
- Does the vendor strictly adhere to global data privacy standards? If so, you can have confidence they will likely meet your specific needs.
- Are they willing and able to accommodate additional data privacy requirements that might be unique to your organization, industry, or region?
- How does the vendor manage access to your data? Who can access the data and how is the data handled?
- Do they have a data processing agreement that outlines the specifics of the data being processed including scope and purpose?
- Is privacy an integral part of their platform’s design process? Do they have a privacy impact assessment to determine when changes impact privacy and security?
While there is overlap between data security and data privacy, data security primarily focuses on protecting data from malicious attacks and unauthorized access.
Think of data security as an onion. Your organization’s data is located at the center of the onion and each layer of the onion represents a layer of security – the Onion Model. This is how a HPP vendor achieves a “Defense-in-Depth” approach to security.
Here are some questions to ask the HPP vendor about data security:
- Who is their cloud service provider? Your vendor should use an enterprise-grade, trusted, and reliable provider like Amazon Web Services or Microsoft’s Azure.
- What are their Service Level Agreements (SLAs)? Look for a vendor that guarantees at least 99.9% Uptime and a Time to Resolve of less than 4 hours.
- Do they have a Security Operations Center (SOC) and is this 24 x 7?
- How do they handle logging and monitoring?
- Do they have backups of your data and do they conduct Disaster Recovery Simulations?
- Does the vendor conduct annual independent penetration tests?
- Does the vendor have an incident response process in place? How often is this tested?
- How is security integrated into the development lifecycle?
The numerous badges and endless acronyms designating various third-party security validations can be overwhelming, especially to non-IT professionals.
It’s important to note that some vendors prioritize a security badge over the actual effectiveness of their security operations. Commonly known as “badge collecting”, this approach is used to present a veneer of credibility and trustworthiness. But just because a vendor is certified does not mean they are secure.
With that said, certifications can be helpful when evaluating a vendor by providing a relatively reliable short-cut for Human Performance leaders. Certifications also reduce the amount of due diligence required to feel confident in a vendor’s security environment. The following certifications provide a higher level of comfort that a short-listed vendor won’t be laughed out of the room during IT’s review:
- ISO/IEC 27001 & ISO/IEC 27701 – these are the most rigorous global standards for Information Security Management Systems (ISMS) and Privacy Information Management Systems (PIMS). These certifications are difficult to acquire and are good indicators that data security and data privacy is at the forefront of the vendor’s organization.
- Service Organization Controls Report (SOC) – SOC 2 Type 1 assesses the design of an organization’s security controls at a point in time. SOC 2 Type 2 evaluates the effectiveness of those controls over time by testing the validity over a six-month period. While SOC 2 is mostly an American standard, it is now being accepted as best practice on a global scale. Ask your vendor if they are SOC 2 certified and request their audit reports.
Regardless of your organization’s size, you will directly benefit (often at no additional cost) by choosing a Human Performance Platform vendor with an enterprise-grade solution, even if you aren’t on their enterprise plan.
From a practical, operational perspective, it’s important to select a HPP that can scale with you as your needs grow and evolve. From a security perspective, selecting a vendor who can provide enterprise- or military-grade security tends to benefit even the smallest of customers. This is because data privacy and security, when done correctly, is baked into the core of the product – it’s not typically an add-on.
Selecting a vendor with an enterprise solution and experience can also help streamline the sales, procurement, and implementation processes.
Here are some questions to ask the HPP vendor:
- What is the largest organization they’ve worked with and how many users do they have on the platform?
- Does the vendor have experience working with the military and navigating their security and procurement processes?
- Do they have local offices in your region and what type of roles are located there?
A company’s trustworthiness is as equally important as a certification, SLA, report or agreement. From interacting with the vendor throughout the sales process, you’ll likely have a gut feel for this – but don’t stop there. Here are some things to consider when assessing the trustworthiness of a HPP vendor:
- How does security fit into the vendor’s overall values?
- Call references and ask about how the vendor responded to any data breaches. Were they responsive and proactive during the incident? Do they feel their data is secure?
- What is your sense for the ethics of the company based on those you’ve interacted with? A quick Google search of the vendor can easily uncover news that reinforces their trustworthiness or raises a red flag.
- Do you believe the vendor is as equally (if not more) interested in your success as their own?
A Final Word on Security
Your priority as a Human Performance Director (or similar) is your athlete’s, warfighter’s, or first responder’s physical, mental, and emotional health. While it’s tempting to leave the data privacy and security questions to your IT team, we highly recommend you take a more active role.
Ultimately, security is about people. To have a positive impact on those we serve, we need them to trust us and the systems we use to do our jobs every day.