8 Security Considerations for PAC Workflow Automation

Automation Security
8 Security Considerations for PAC Workflow Automation

Automation is driving change in the post-acute care industry. Automation delivers speed and precision while freeing staff to work on more complex, higher value tasks and thus eliminating repetitive tasks.

Understanding Robotic Process Automation in Healthcare

RPA or Robotic Process Automation is a system of recording tasks as a human would. Machines are then instructed to execute these tasks exact same as humans would. Robots (or bots) find logical steps and perform repetitive manual tasks with no human intervention. Several industries including healthcare have begun a widespread adoption of RPA, and the benefits it poses to post-acute care are aplenty. 

With automation, post-acute care providers can simplify their daily repetitive work, allowing the robots to manage the repetitive tasks based on a specific set of rules or instructions that are provided. Robots are trained to log on to pre-existing systems on behalf of teams, and follow the instructions to complete tasks. This frees up time and resources to focus on patient care and higher value tasks without the encumbrances of repetitive administrative work. Automating workflows allows post-acute care teams to intervene only when manual intervention is necessary. Most tasks can be handled by automation and since the work occurs at the backend, it does not require supervision or daily direction.

Why security is vital in the workflow automation

Automation Software runs on behalf of users and in the process are required to :

  • Applications: Interact with many applications - both source and target.
  • Process (execute a set of steps) to meet a functionality
  • Rules and logic based execution
  • Manage Data - Store, Transfer, Processing and reporting. 

The automation involved in PAC creates several layers such as web, APIs and data exchange that are vulnerable to attacks. The use of RPA frameworks can expose organizations to new types of security threats. Hence, its security is an utmost priority while using workflow automation.

What should be the steps considered to improve the security

A : Use Password Vaults for Managing Credentials

Credentials - both login and password should be stored in the vault. A Vault typically stores Passwords in encrypted format and prevents direct access to credentials.

Please note that there are various logins and passwords to be managed - enterprise applications, API services, different environments (dev, test and production), applications behind Citrix, and many more, soon this tends to grow. Credential management is core / foundational capability.

B : Role based, Restricted Access

A bot will be accessing Applications - e.g. within Enterprise, External applications, Government Sites and so on. Usually a bot will need to only perform a finite set of activities (E.g. upload files, export data based on criteria etc.). Typically the target applications do provide a set of roles with permission to perform specific activities. 

Restricting access to a Bot will prevent any accidental actions and further help with user confidence.   

C : Audit logs for Visibility to Bot Health

A User needs to understand what actions a bot is performing when a process is automated. More important is to understand the effectiveness of both. This is not only important during the initial testing phases of Automation Process development but also for ongoing troubleshooting if there are issues - be it in business failures or technical failures. 

Design a robust logging component where information summary (e.g. Trends, patterns) and detail (e.g. process step level) can be provided.     

D : Manage the Clear ! 

Currently there are many regulations by Sector / Industry. In Healthcare, HIPAA ( Health Insurance Portability and Accountability Act) compliance is key. The HIPAA Privacy regulations require applications to ensure confidentiality and security of protected health information (PHI) when it is used (transferred, received, processed, or shared). 

Automation applications should be designed to overall manage PHI information - at a minimum the following considerations become key::

  • Avoid or Minimize use of PHI data where possible (e.g. for handling failures)
  • PHI data to be encrypted. 
  • Design a suitable data masking technique and mask PHI data. 
  • Access Control (Who gets what access etc.) of PHI data is must. 
  • Prevent direct access to PHI data. Ensure PHI data is only accessed through a known interface like a controlled Service or an application.

E : Perform Audits 

Supplement your Audit Logging Design with formal cadence for performing periodic Audits. This is important from multiple perspectives - key being changed. Change is inevitable and therefore it is important to understand bot’s responsiveness to change and course correct where needed. 

Note: Automation Applications are User Interface (UI) heavy - UI changes are to be expected over the life of an application.

F : Data, Storage and Lifecycle

Business Processes today deal with Bigdata - where volume, variety and veracity are to be planned and managed. Consequently, one of the key Security and Risk considerations for an automation application is how data will be stored and managed throughout its lifecycle.

This topic is a whitepaper topic in itself. However at a minimum the following needs to be considered:

  • Data Storage: Typically a bot needs to provide storage (ideally shared storage) where not only the bot inputs or outputs are managed but  also shared with Users (Business or Technical). This storage should also be designed considering key factors like access control, synchronization if needed, data archival etc. 
  • Data at Rest:  Make sure data at Rest is access controlled, encrypted (so that even in case of breach the compromise can be minimized)
  • Data in Motion: In many cases a bot is designed to process high-volume transactional data - with bulk of the processing happening in-memory underpinned by a messaging / queue based architecture. It is important to ensure that the data in motion is also encrypted and controlled (even queue based persistence) - Ideally the Automation platforms will be able to provide this but if not a bot design should account for the same. 

G : Automation Environment and Access

The Automation Environment involves multiple components - not just the Automation Software but a host of other components - cloud based or otherwise (like Performance Monitoring, Log Analytics, Reporting etc). Policy based access / control to the environment to be formalized - few examples: :

  • Has the automation code been reviewed and is per Quality standards?
  • Are there formal best practices ? Have they been institutionalized and enforced (like handling failures to be consistent and comprehensive) ? 
  • Is the code thoroughly tested and accepted by end users?  
  • Who gets to execute / trigger a bot?
  • Who gets to release code between environments? 
  • Who gets to change configurations etc.
  • Who gets to build and release code? 

Further, DevOps (build, test, deploy and change cycles) is integral to any Automation Software development. Automating this cycle could also help reduce the overall risk of managing the deployment of automation code to production

H : Governance and Change

IPA is a strategic initiative for many firms today. Organizations should establish suitables policies and controls to secure their Automation Ecosystem. 

Further, Automation tends to bring Change - a new way of working, a new way of man-machine collaboration. This change has been managed and executed well for value delivery.

      Few key considerations in this context are:

  • Monitoring and Managing Bot effectiveness
  • Design with Business Continuity in mind
  • Risk Management
  • Performance management
  • Selecting candidates for Automation

Conclusion - Intelligent Process Automation (IPA) provides powerful capability with tangible impact on both the top-line and bottom-line. Like any strategic Initiative, IPA also needs to be planned, governed and managed well. Security and Control is foundational to not just Risk management but also value delivery at Scale. Element5 is working with a host of clients while offering IPA in the SaaS (Software as a Service) model. As we continue to learn working with our clients, we will keep the best practices updated.