“Wow, but is this thing secure?”

I was expecting that question. I knew before meeting with potential alpha implementation partners about Orthobot that data security was going to be an important topic for my new venture, Transform9, an orthopedic voicebot virtual assistant for physician practices. That’s why we have spent time and resources to develop a comprehensive security plan for our team to implement and maintain.

Security is a big term that encompasses a lot of tools and tactics. How do you even answer a question about whether a system is secure in today’s environment? Every day, it seems there’s a new story about another business that has been hacked—Marriott, eBay, Home Depot, Yahoo, Apple, Capital One, Dunkin’ Brands, DNC, U.S. Navy, Equifax, Target, Uber, JPMorgan Chase, Anthem, Adobe—just to name a few! That begs the question: Is any system 100% secure?—especially considering that a user’s device can have malware that obtains the user’s credentials.

Even Twitter CEO Jack Dorsey’s Twitter account was recently hacked (although the hack actually occurred with his telecom carrier). And China’s Huawei, which makes equipment that connects to the internet, has been charged with systematically diverting traffic back to China to spy on users.

We know that consumers expect security. If, for example, Walmart can’t provide a secure environment for consumers to shop, people will buy their goods elsewhere. If the bank I use cannot provide a secure account for my money, I’ll move my finances elsewhere. If Target is hacked and my credit card number is stolen and subsequently charged, I’ll shop elsewhere. It’s fundamental to any business.

While these examples make for interesting reading, they certainly raise a lot of questions about which “security” measures are in place—and highlight the importance of security plans today. When my son recently asked me which masters’ degree I thought he should pursue, I told him immediately and emphatically: “cybersecurity.”

Most systems are designed to help people get things done more quickly or to help make decisions. Systems are used by people and coded by people, which means we will always introduce some amount of human error. People make mistakes and don’t always think of everything.

But there are things we can do to protect systems from compromise and minimize the impact when issues do occur. We can implement best practices and the latest technology to prevent attacks and set ourselves up as a cyber-resilient company.

By default, Transform9’s security plan has an advantage over other applications because of several factors. First, legacy systems are typically targeted because they were developed years ago using architecture and code that may not have been originally designed to protect against unauthorized requests and access to systems or the access and transmittal of data. Today, we benefit from learning from those who have been compromised so we can implement the latest in cybersecurity best practices starting with systems we chose to run our application. Second, the data we transmit and store is very limited. We keep very little patient data and no medical records or payment information. Third, each practice that uses our system only needs a few users to manage to their administrative portal—two or three would suffice for most practices, which limits the number of targets for hacking credentials. Last, we benefit from being a small company and would be a very, very small target. Yahoo was targeted for 3 billion user accounts, and Marriott was hacked for 500 million customers’ data.

I know from experience that core security elements need to be in place such as identity and access management, data protection, infrastructure monitoring, logging, and incident response. In 2007, when I was CEO of Momentum Telecom, we first began dealing with hackers and distributed denial of service (DDOS) attacks. Hackers would compromise users’ credentials of VoIP cable modems and telephone adapters and make international calls over those devices, running up thousands of dollars of long-distance bills. We brought in professionals who, at that time, implemented many of today’s best practices using ITIL processes.

Our advantage is that we have built our system from a blank slate, not having to rely on legacy equipment. Our security (and really any application) starts with architecture and then DevOps and DevSecOps. We will continue to update our “security” to protect our clients’ data using the many available tools.

We’ve adopted Amazon Web Services’ well-architected framework, which includes five pillars:

  1. Operational Excellence
  2. Security
  3. Reliability
  4. Performance efficiency
  5. Cost Optimization

We are implementing this framework through a recurring process of:

  1. Planning
  2. Executing
  3. Testing
  4. Documenting Problems
  5. Defining Solutions
  6. Recording Architectural Changes (and back to 1)

Amazon Web Services (AWS) offers many of the necessary tools and systems to implement security best practices. Too many to list here. In addition, many of these sophisticated cybersecurity systems are now integrated and can be activated immediately. Ten years ago, we spent hundreds of thousands of dollars and years turning up manual systems on what we have accomplished recently and will accomplish in the next few months at a fraction of the cost.

Because Transform9 is leveraging a platform on AWS, we can extend our security to the network, improving penetration defense and packet inspection, and reducing latency. Today, setting up a cyber-secure shop can be done in less than 20 percent of the time and cost, giving a new startup an advantage over legacy businesses.

So is Orthobot secure? Here’s my short answer: Transform9 is cyber resilient voicebot using up-to-date system architecture, development practices and the some of the latest monitoring tools available.

Learn more at transform9.com.

Alan L. Creighton

Author Alan L. Creighton

Alan is the Founder & CEO of Transform9, currently building the first specialty-specific, automated, conversational voicebot virtual assistant for physician practices that lets patients communicate how and when they want.

More posts by Alan L. Creighton