ZERO TO THREE Case Study
At a glance
Gorilla Logic conducts a comprehensive security audit of Welly, powered by ZERO TO THREE’s HealthySteps program—ensuring personal information is protected against data breaches.
- OWASP ZAP
- AWS (AWS Lambda and API Gateway)
Gorilla Logic’s Security Expertise Helps Protect Children’s Personal Info on ZERO TO THREE’s HIPAA Compliant Welly Application
ZERO TO THREE’s mission is to ensure that all babies and toddlers have a strong start in life. Recognizing that a child’s first three years are a critical time for developing a foundation for lifelong health and well-being, ZERO TO THREE provides helpful resources and practical tools for millions of parents, professionals, and policymakers nationwide. HealthySteps, a program of ZERO TO THREE, changes the trajectories of children’s lives. HealthySteps promotes the health, well-being, and school readiness of babies and toddlers in more than 150 pediatric primary care practices nationwide, serving more than 145,000 children. The HealthySteps Specialist, a child development expert, joins the pediatric primary care team to screen all families as well as provide successful referrals and intensive services if needed.
Between 2009 and 2018 there have been 2,546 healthcare data breaches involving more than 500 records.
Those breaches have resulted in the theft/exposure of 189,945,874 healthcare records.
That equates to more than 59% of the population of the United States.
Healthcare data breaches are now being reported at a rate of more than one per day.
Source: HIPAA Journal: Healthcare Data Breach Statistics https://www.hipaajournal.com/healthcare-data-breach-statistics/
The adage “it takes a village” is particularly relevant in child development today. Many parents rely on a network of extended family members, caregivers, and healthcare providers to assist in the physical, cognitive, and social-emotional development, and well-being of their children. ZERO TO THREE understands the importance of this network and provides helpful resources and tools to parents and professionals, including those involved with their HealthySteps program. Additionally, understanding the reach of, and evaluating, HealthySteps requires the HealthySteps National Office at ZERO TO THREE to gather aggregated information about these young children and their families from HealthySteps sites across the country. Because of this, they need to meet stringent compliance requirements as prescribed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Failure to properly meet these security and compliance requirements results in strict fines and penalties.
ZERO TO THREE hired a third-party security company to conduct a company-wide assessment of their policies, procedures, systems, applications, and more. Part of the assessment included the HealthySteps Welly application. The HealthySteps program uses a SaaS-based application, Welly, built with development partner Gorilla Logic. Welly guides caregivers and families in steps they can take to promote the healthy development of their young children outside of the pediatric primary care clinic. Overseen by HealthySteps, Welly offers health and well-being assessments, scheduling tools, progress tracking, and educational content—all of which can be accessed by a person’s mobile device. Welly is also an easy-to-use application for HealthySteps sites to share crucial data with the National Office to ensure a high-quality, effective program.
Gorilla Logic’s developers worked with Amazon Web Services (AWS) to identify services that were both HIPAA compliant and a good fit for ZERO TO THREE. Gorilla Logic developers built the application using Amazon Web Serverless Architecture in order to allow ZERO TO THREE to minimize IT overhead expenses while easily scaling the app as needed. This AWS Lambda architecture frees ZERO TO THREE from the burden of provisioning and maintaining any servers. Applications can also be scaled automatically or by adjusting capacity through toggling the units of consumption (e.g. throughput, memory) rather than units of individual servers. Finally, this serverless architecture provides built-in availability and fault tolerance.
ZERO TO THREE knew that the security company’s assessment would focus primarily on ZERO TO THREE’s policies and operations with some attention paid to their applications. Therefore, they asked Gorilla Logic to conduct a comprehensive security audit of HealthySteps. The audit would provide a deeper analysis of HealthySteps’ security posture while enhancing the findings from the overall assessment.
The High Value of Health Information to Hackers
“A person’s medical record has the most comprehensive information about that individual today,” says John Schuch, Gorilla Logic’s Security Practice Lead. “Not only does it contain all of your demographic and financial information, it also includes data about your past medical history, including every doctor’s visit you’ve made and diagnosis you’ve received.”
“Sophisticated hackers know that they can use health records for malicious purposes including filing false health claims, filling fake prescriptions, and even opening up credit cards to pay for medical expenses,” John continues. “The Gorillas wanted to make sure that the app was designed to safeguard sensitive personal information against an evolving threat landscape.”
“Very rarely, if ever, have I encountered so few issues as I did with Gorilla Logic.”
3rd-Party Security Consultant
Ensuring the Security and Compliance of Welly
HIPAA compliance requires that a third-party consultant, outside of the development team, administer certification tests on all applications. Prior to these tests, John conducted a thorough assessment of the app with the goal of locating potential vulnerabilities that could possibly result in a data breach. In addition to speaking with the developers to understand the application architecture, John conducted scans using SonarQube to pinpoint any vulnerabilities in the source code. John also ran penetration tests against the app while it was running. The penetration tests allowed John to navigate every aspect of the application and locate two minor vulnerabilities that the development team was able to address prior to delivering the app to the security consultant. Impressed by the Gorillas’ thoroughness in testing the application, the security consultant remarked, “Very rarely, if ever, have I encountered so few issues as I did with Gorilla Logic.”
“The consultant we hired doesn’t address security requirements at an application level,” says Prasad Kothembaka, ZERO TO THREE’s IT Manager for HealthySteps. “Gorilla Logic’s security team really delved into the details. They updated us regularly and scheduled a follow-up meeting to review their findings before publishing them in a clear, comprehensive report.”
“Gorilla Logic’s security audit was a bonus for us,” Prasad continues. “It was very helpful to understand our security and compliance posture in advance and share that information with the consultant so they could validate their own findings.”
“We really value the expertise that Gorilla Logic brought to this project. There were no glitches or ‘Plan B’s’—only great teamwork in meeting deadlines
Prasad Kothembaka, ZERO TO THREE’s IT Manager for HealthySteps
Supporting Childhood Growth and Well-Being
The Welly application is the first of its kind for ZERO TO THREE. The HealthySteps National Office previously relied on Excel spreadsheets and hard copies of reports and information from disparate databases to cobble together comprehensive client profiles. Not only was this process inefficient, it also left ZERO TO THREE vulnerable to human error and security breaches. In addition, Welly offers the opportunity for families to more regularly interact with HealthySteps outside of the pediatric primary care office.
“Welly will provide a secure resource for families to interact with us, ensuring their babies and toddlers thrive throughout their crucial development years,” says Prasad. “We really value the expertise that Gorilla Logic brought to this project. There were no glitches or ‘Plan B’s’—only great teamwork in meeting deadlines