The Blog

 
 
Database Replication - Business Above IT
We have a customer that is growing very fast in the Healthcare space. Two years ago their Member database was around 200,000 members. After 2020 Annual Enrollment Period settled, they are now over 5 million members. This growth is a very good problem to have.

One of the features of Vy Healthcare CRM™ is something called "IntelliSearch." This feature enables a quick and easy ability to find members when names are not always the same or when it is not obvious which MCO they are with (something that can be more difficult than you'd think - but this is a topic for another day).

The problem with IntelliSearch is that while it makes it very user friendly for Call Center agents, it is way more taxing on the server, especially as that database grows.

Another feature of Vy Healthcare CRM is that we process discharge/authorization files as soon as they come in from the MCO. This is of course great for the MCO, our customer, and ultimately the member getting served, but it is also pretty taxing to be processing through thousands of discharges and comparing it to millions of Members in the middle of the day.

So when average page load times went from 1.2 seconds to 7 seconds in January, something needed to be done and needed to be done fast.

It was initially proposed that we need to remove IntelliSearch and that file processing should be moved to an overnight job because that is where the problem lies.

The problem with this is that it would severely impact usability and also provide worse customer service.

And therein lies the problem. For those outside of technology (looking at you CEOs and CFOs), all "tech people" seem the same. But there are a lot of different types of technology people. In a perfect world you have:
  • Developers
  • Database Administrators
  • Server Admins
  • Network Admins
  • Security Specialists
  • Project Managers
  • And of course, an Executive over all of them that understands all of this

If you have an appetite for all that, Vy Technology may not be for you (that's at least a $1 million in payroll right there). Even if you can afford it though, finding and retaining is a whole other issue. So what most small and medium sized businesses do is they hire a single Network/Server Admin type, put them in an IT Director position, and turn to them to make big picture decisions. If you found that diamond in the rough that can wear all those hats and you can keep them happy, great! But if you don't have that, you can't leave operational business decisions up to the wrong type of technology person.

In the end, we went with a replicated database solution that processed the searching in one database, the discharge files in another database, and left the master database free to do everything else (at no additional cost, no operational impact, little work for the internal IT department, and in a matter of two days).

This absolutely was more work. Did it "ruin a weekend," yes. Was it the easy way out, no. But there is no doubt this was the right move to make for the business. And putting the business over the IT department is what good businesses (and IT departments) do.
Need help with keeping functionality as you grow? Don't be a stranger then. Let's talk.
896 MemberID Variation Solution
One of our core values at Vy Technology is that We Know the Difference in Being Right and Doing Right. What we mean by that is, being right is important, but doing right is far more important. When those conflict, choose doing right.

Even though most of our core values reflect what I naturally gravitate to in business, this, in full disclosure, is not one I naturally gravitate to. Out of all our values, this is one that I personally struggle with the most. I think a lot of technology personalities struggle with this. It's why it's important it's there.

Living out this value of course can manifest itself in many ways. One recent way was looking at helping a customer of ours come up with a solution because their customer didn't have the ability to provide consistently formatted data.

This story may get a little complicated so I will go ahead and call our customer Good Food Company and I will name their customer Homestead Insurance Company (neither are their real names).

A standard need for Good Food is being able to process hospital discharge files. This usually entails processing through the discharge file, comparing MemberIDs to a previously loaded eligibility file, and then proceeding on if a match is found.

This match is important because after the member has been served, the reporting needs kick in and there is a lot of metadata associated to that member from the eligibility file that needs to be reported back to Homestead.

The problem lies however in the fact that you would think the MemberIDs in the discharge file would be in the same format as the MemberIDs in the eligibility file. For most MCOs, that is the case. But for Homestead, that wasn't the case.

Now we could have rightly held firm and said, you need to get your two files to match. We would be right saying that. But that isn't necessarily doing right given the situation.

Why? Because we know that Homestead will take months to get this resolved. We know that Good Food will be missing out on revenue while Homestead sorts through that. And most importantly, we know that Homestead's members will be missing out on a benefit they very desperately need when they are at their most vulnerable.

So how does a "doing right" versus "being right" mindset solve this issue? Simple. Vy Technology proposed and then wrote an algorithm that tries 896 different combinations of MemberIDs to find a match.

So if a MemberID is 123456789-01 in a discharge file, then we try 12345678901, and 123456789*01, and 00012345678901, and 123456789, and 892 more variations. The computational impact on the server is measured in milliseconds. The coding effort was measured in 2 to 3 hours. Good Food is happy, Homestead is happy, and Homestead's members are happy.

These are the types of issues you find when doing business in healthcare. And this is the type of creative problem solving you get with Vy Technology.
Need help with creative solutions to complex problems? We'd love to hear from you. Reach Out.

On a recent visit to my alma mater, I sat in on a Machine Learning class.

It was fascinating. Being in the room with 20 or so students talking about a technology trend I have little real world experience with was a thrill.

But as thrilling as it was, and as talented and intelligent as those students were, I left the class with the words of my father in my head. He'd always say, "No one ever asked for my law school GPA two years after I graduated." The strong point that made to me as a child was that school is important, but the real world will be different.

Put another way: the theoretical is great, but the rubber meets the road in the practical.

15 years removed from the classroom, away from the field I originally studied, and after hiring many people in the technology field (and interviewing even more), I find his professional philosophy to be truer than ever.

Technology is full of incredibly smart people. No doubt about it. However, what those in technology miss too often that impacts particularly small and medium-sized, non-technology companies is a business first, technology second mindset.

If that doesn't quite resonate, simpler put: if an organization is struggling to get out of spreadsheets, machine learning is likely not the solution.

Now in full disclosure, and to his credit, the Professor made this point to his class. I believe his exact words were, "if you can solve a problem with out machine learning, you probably should." But what that Professor understood is very often missed by businesses vetting technology providers. And when missed, it becomes a big part of their frustration down the road.

Instead, those vetting technology providers should ask themselves, is this a Technology first or a Business first solution?

  • Technology first asks, what is the latest and greatest?
    Business first asks, with out sacrificing the objective, how can we make this the least disruptive to our workforce?
  • Technology first asks, what is everyone in the industry doing?
    Business first asks, what does this particular business need?
  • Technology first asks, what will garner the most respect of my peers?
    Business first asks, what will make the largest impact to this company's goals?

Sometimes these answers are the same. Usually they are not.

There is something great about being cutting edge, no doubt about it. But if it is incredibly expensive, it is incredibly disruptive, it takes longer than expected, and ultimately doesn't produce the desired results, there is no value in it. And providing more service value than you take in payment is the foundation of all great businesses.
Need help with a business first solution? It would be fun to discuss. Contact us.
Pillars of HIPAA
When I first started developing HIPAA compliant software I had been developing custom software for 9 years. But I had never had to develop a HIPAA compliant solution. Like a lot things in life I figured, no biggie, I'll do some research and figure this out.

Boy was I in for a surprise how nebulous the law is and how wide the varieties of interpretations were.

This blog will feature HIPAA extensively in other posts, but today I wanted to share what came to be called the Pillars of HIPAA.

Eight of these were developed pretty early on. Five more were added over the course of the next six years.

When we went for HITRUST Certification, we were positioned pretty well with just these pillars. Yes, the Certification required us to codify a more formal IT Policy. And in no way am I saying these pillars are the equivalent of HITRUST Certification. But I do believe the 105-page IT Policy that ensued doesn't do that much more than these 13 pillars below did to secure data in a HIPAA compliant system.

  1. Encryption in Transit - all data is encrypted and transferred using a 128-bit SSL secure connection.
  2. All access is controlled by an individual username and password for every employee.
  3. Every page view and action is logged - including date, time and IP address.
  4. PHI is always hidden unless an employee purposely chooses to see it, in which case a special entry is logged.
  5. All PHI is stored in the database in an encryption at rest state - i.e. a social security number of XXX-XX-XXXX would be encrypted and stored as WhvNDTdXAPJYzWajhkXegzfX...
  6. All PHI (which is already encrypted) is stored in a separate table from other identifying information. As an example, names and addresses are stored in a separate location than Social Security numbers and Medicaid IDs.
  7. Permissions for all employees are set on an individual level using the Principle of Least Privilege - access to information is reviewed and granted on an individual level.
  8. All member related data is not accessible outside of our internal network without the use of 2-Form Authentication via Google Authenticator and a proprietary key. This conforms to algorithms specified in RFC 6238 and RFC 4226.
  9. All reports are generated with minimal information needed.
  10. The server can only be accessed via SSH/SCP - since FTP connections are unencrypted, they are not allowed on the server - SSH/SCP is more secure than FTP and SFTP.
  11. SSH/SCP access is only granted via security keys (no passwords) - thus preventing brute force attack attempts - this method is much more secure than a traditional username and password method.
  12. Our firewall only opens the following ports: 80/HTTP, 443/HTTPS, 22/SSH to the outside
  13. All versions of Linux, PHP, Apache and MySQL are long term stable (Ubuntu 18.04.x LTS / PHP 7.2.x / Apache 2.4.x / MySQL 5.7.x).

After going through HITRUST Certification for one of our Customer's systems, I would add the following four as well.

  1. Force logoff system after 15 minutes of inactivity
  2. Include warning messages on all systems (Web or SSH sessions) that informs an individual they are entering a system with PHI and their actions are monitored
  3. Implement a DLP solution for Email that includes the ability to send secure
  4. Implement annual third party penetration testing and risk assessment
Need help with hipaa compliance? Don't be a stranger then. Let's talk.