Policies are important, but security is about what you do all day, every day
UnityAI uses a modern, cloud-first approach to make AI systems safe and secure
For every healthcare organization operating technical systems (which is to say, all of them), information security is a top-of-mind concern. Nearly every day we’re seeing headlines related to data breaches and cybersecurity lapses that have the potential to impact millions of people around the world. The recent MOVEit hack during early summer 2023, for example, exposed personal data of over 16 million people and affected a wide range of private companies and governmental entities, including the state transportation agencies of Oregon and Louisiana. Hospitals and other healthcare providers have increasingly been dealing with ransomware and other types of attacks for years.
Start with security in mind
When we founded UnityAI to incorporate intelligent automation and generative AI into hospital operations, our initial set of tasks was to lay out how we will make our systems secure to keep our customers’ data safe. We knew that it would be important to demonstrate that we have good policies and procedures in the context of HIPAA compliance, so we partnered with Vanta to guide us through the process of writing policies and ensuring that we covered the various domains of physical, technical, and administrative safeguards that are required.
Want to support UnityAI as we grow our company? Share our newsletter and blog with your network to help us connect with more people who are interested in the future of incorporating AI and intelligent automation into hospital operations.
More importantly, we are using Vanta integrations to conduct continuous monitoring of our safeguards and controls. For any technology that we use in the normal course of operating our business or running the software that we are developing, we have visibility into the current status of each of our controls. You can view those statuses as well on our trust report page. The next step for our company is to set up a regular HIPAA compliance audit and begin the process of SOC 2 certification. Both of these milestones are on our roadmap to complete prior to implementing our first product in a live healthcare setting.
Build with safe practices from the start
An inescapable truth: well-designed policies are words on a page, actual security comes from putting those policies into practice in the day-to-day work for building software and running systems. UnityAI has been focused on implementing the concepts from our policy documents into specific practices that will help to secure our application development process and data processing workloads.
Here’s a list of four core practices we have focused on so far:
We only develop in cloud-based, ephemeral environments, never on laptops
No customer data on laptops or other UnityAI devices, ever
The entire application stack, all the way down to databases and networking, is defined as code
Application components are always containerized
Read on to learn more about why these practices are foundational for our security posture.
Cloud-based, ephemeral development environments
We use cloud-based, ephemeral environments for all our development work. Any data or code that exists on physical devices in our team members’ possession (read: laptops) would be at risk if those devices were lost or stolen. Similar risk would occur if those devices were impacted by malware, ransomware, phishing attacks, etc. The HIPAA security rule includes guidance for physical safeguards for workstations and devices; the traditional way of implementing those safeguards focuses on tactics like mobile device management, virus scanning, and so forth. We apply these tactics for our physical devices but only use those devices as access points to work with code and data that is stored securely in cloud environments.
UnityAI uses Google Cloud Workstations for our development. We pre-configure these workstations to work within our network controls and security posture while enforcing the same identity access management policies that will be applied to production environments. If we find an issue or potential vulnerability, we can make changes to the underlying configuration and push those changes out to all of the workstations immediately. And by doing development in Google Cloud environments, we can make ready use of tools like Secret Manager while avoiding less-secure practices like generating and downloading service account keys for accessing GCP resources from a local device.
While this approach took more time and effort to set up, the long-term payoff is twofold. First, the entire development process is more secure because we are working with environments that benefit from Google’s longstanding focus on securing cloud services. Second, we’re improving the developer experience by requiring developers to understand how the cloud resources interact with each other within our network controls before they start writing software. This helps us avoid scenarios where a workload worked well in the developers local environment but fails in mysterious ways when we stand it up in the real cloud environment where it’s going to run. Using Cloud Workstations increases security while also increasing parity between development environment and production environment.
Containers, Kubernetes, and everything-as-code
When we go out into the world to talk with hospital leaders, clinicians, and healthcare professionals about what UnityAI is trying to achieve, we describe our vision as applying AI and data science techniques to hospital operations to increase reliability and performance. One of the key methods we envision using is working with caregivers and administrators to identifier “trigger” events in the data for important scenarios and specify corresponding “playbooks” that should be executed in response. The underlying notion is that there is an ideal response to trigger events, and we want our AI system to help team members achieve an actual response that is as close as possible to that ideal in order to drive overall performance of the system.
If we were pitching this idea to technologists, we would say “It’s Kubernetes for hospitals.” The deep idea behind Kubernetes is that there is a declared ideal state for a cluster, workload, process, or any other resource, and then there is the actual state of that resource. The system is trying to minimize the difference between these two things; when everything is successful and healthy, all of the resources described in the cluster are running in their ideal state as declared in the relevant configuration definitions.
What does all this have to do with security? Our approach to developing UnityAI’s product offering has been to declare everything as resources in Kubernetes. We have described everything from databases to applications to Google Cloud service accounts in configuration files that are orchestrated by Google Kubernetes Engine. By specifying the full stack in code, we are able to enforce change control through pull request reviews and our CI/CD pipeline, which reduces the chance of a change that inadvertently misconfigures a resource and opens an unexpected vulnerability that could go undetected for a long period of time. Explicit visibility into every component of the system increases the safety and reliability of the entire system.
Prioritizing containerization for our applications is also a key part of our security strategy. Each application or workload runs in its own container, and we can specify which components or resources within the cluster should be able to communicate with each other. These resources are associated with their own service accounts that are specified according to the principal of least privilege, meaning that these accounts are only able to access the minimal data and Google Cloud resources required to fulfill their function. We’re also taking advantage of proxy containers made available by Google such as the Cloud SQL Auth Proxy and the Extensible Services Proxy to implement strong security principles when our applications connected to databases or APIs.
The original promise of containerization was that it would make running workloads in a shared environment simpler by reducing dependency conflicts and resource contention because each container is able to run independently with everything it needs. The added benefit from a security perspective is that we now have boundaries between application components and can specify exactly how those components are allowed to interact. This also means that a newly discovered vulnerability in a dependency may only affect a single component rather than putting the entire system at risk. UnityAI uses vulnerability scanning on our container images to detect critical vulnerabilities for mitigation.
Modern practices for a modern company
There’s a lot more to UnityAI’s approach to application security than what we’ve laid out here. Our aim with this post has been to demonstrate some of our thinking about how to establish a secure foundation for our products so that hospitals and healthcare professionals can work with us with confidence that we’re helping to safeguard their patients and systems.
As you’ve probably noted, we’re leaning heavily on Google’s investments and industry-leading research in modern approaches to securing applications, infrastructure, and data in the cloud. There’s a lot more to unpack and learn; if you’re interested in learning more about Google’s approach and practices, we recommend the Google Cloud security foundations guide and the BeyondProd white paper as great places to start.
We recognize that many of these practices are new, especially for healthcare companies that have extensive experience and track records running systems and infrastructure in on-premise environments. As we work with new and potential clients, we hope to be able to engage with leaders and IT professionals to share what we think works and help to move toward concrete actions that make our systems more security for the benefit of team members and patients.