About Cavo Health

Cavo Health is a Healthcare technology company, which offers software-as-a-service (SaaS) that provides its customers with Precise Word Matching AI technology to automate matching and coding of Hierarchical Condition Categories (HCC). Cavo Health's Precise Word Matching AI engine finds more than 96% of the HCCs in medical records before coders even begin coding. Currently, Cavo Health's suite of products automates virtually the entire risk adjustment coding workflow along with delivering the unprecedented auto-coding accuracy and HCC completeness.

The Challenge

Cavo Health sells a service which interacts with Protected Health Information (PHI). It was imperative that Cavo Health prove to its customers that its software, which is hosted on Amazon Web Services (AWS), was in compliance with HIPAA guidelines for PHI. Cavo was primed for tackling this challenge and more so, after contacting Jacobian Engineering for assistance. The way for Cavo Health to resolve this challenge would be by achieving a HITRUST certification for its SaaS application.

HITRUST CSF, a security framework that provides organizations a comprehensive, flexible, and efficient approach to regulatory/standards compliance and risk management. Additionally, it provides the structure, transparency, guidance, and cross-references to authoritative sources that organizations globally need to be certain of their data protection compliance.

Partner Solution

Cavo built its solution and operated it under the standards and guidelines provided by the Health Insurance Portability and Accountability Act (HIPAA). Threats to healthcare organizations are on the rise and Cavo wanted to implement a security framework that helped the organization manage and reduce risk. Jacobian worked with Cavo to implement and assess controls under HITRUST CSF.

By leveraging the HITRUST inheritance program, Amazon Web Services customers are able to inherit as many as 85% of controls either fully or partially. Jacobian has been a member of the HITRUST Alliance assessment program for 8 years. With Jacobian's help, a readiness assessment was conducted, gaps were identified and Cavo worked diligently to close gaps using Amazon platform and infrastructure services.

HITRUST CSF groups into 19 domain categories aligned with common IT process areas containing various control requirements. Many controls in the following domains are implemented using Amazon Web Services including:

• Vulnerability Management
  Amazon GuardDuty provides account anomaly detection and helps customers detect and alert on threats affecting the solution.
• Configuration Management
  Using Amazon Config policies, Cavo ensures infrastructure and platform service configurations meet policy standards. Amazon Config also tracks historical configuration, alerting system operators to changes within the Amazon account or drift from approved configuration.
• Network Protection
• Transmission Protection
  Amazon Application Load Balancers (ALBs), Security Groups and Network Access Control Policies control network ingress, egress and intra-network communication between resources. ALBs provide TLS transport security between users of the Cavo solution and backend services.
• Password Management
  Cavo uses Amazon Secrets Manager to store API keys and other secrets used by the platform. Amazon Key Management Service manages key material for encrypting data throughout the solution.
• Access Control
  Amazon Identity Access Manager manages accounts and roles to provide identity and access authorization for service-to-service communication and to enable support engineers to access the Amazon environment.
• Audit Logging & Monitoring
• Risk Management
  Amazon CloudWatch and CloudTrail collect and aggregate telemetry and log data to ensure observability throughout the platform. Amazon Macie scans Amazon S3 to ensure protected health data does not migrate outside of authorized storage buckets.
• Incident Management
• Business Continuity & Disaster Recovery
  Amazon Backup and Amazon Relational Database Service (RDS) backup services provide disaster recovery capability. Amazon EKS provides orchestration services for containers and high availability and self-healing if nodes fail, become unresponsive or exceed available capacity.
• Physical & Environmental Security & Wireless Security
  Amazon Web Services itself provides wireless, physical and environmental security controls merely by using AWS itself. Nearly all of the controls in these domains can be fully inherited from Amazon.

A limited number of controls may be addressed through the use of Amazon Web Services for the remaining domains and Cavo implemented organization and system controls to address the remainder in these domains:

• Information Protection Program
• Endpoint Protection
• Portable Media Security
• Mobile Device Security
• Education, Training, and Awareness
• Third-Party Assurance
• Data Protection & Privacy

Result and Benefits

Cavo Health achieved HITRUST certification for its application, which has since resulted to measurable success in sales and overall interest in the SaaS platform. Marketing and Business Development teams at Cavo health are also benefiting immensely from this certification because obstacles of HIPAA compliance have been addressed.

About Jacobian Engineering

Jacobian Engineering is an information security company and an advanced consulting partner of Amazon Web Services (AWS). Jacobian Engineering works with customers in several industries including healthcare, biotechnology, energy, financial services, construction and has strong competencies in cloud security, software development, migrations, governance, risk, and compliance.