pVerify Deploys Moesif HIPAA-Compliant API Analytics for COVID Testing

Overview

Building solutions that safely handle Protected Health Information (PHI) is complicated, time consuming and involves special engineering knowledge. Over the last fifteen years, pVerify has built a HIPAA-compliant API platform that checks patient eligibility for 1,000s of healthcare providers.

While the system in place could determine when an API call was made, the CTO & COO Rob Dejournett, wanted more information about what his customers were doing, where they might have problems and what vulnerabilities might be out there. And he wanted that without compromising the integrity of patients’ PHI.

As a scientist, I’m all about data analytics. Finding, displaying and sharing API metrics like 400/500 errors, when you have thousands of customers and millions of API calls, is very difficult. Moesif solved that for us.

Rob Dejournett, CTO, COO

To develop a system internally to provide insights into his API calls, he projected it would take his team of four developers six months tweaking the data infrastructure. He’d rather purchase a turnkey analytics platform and have his devs build features that customers want to pay for.

pVerify’s product manager short-listed API Management solutions, red-hot start ups (with “ridiculous feature promises”) and cloud providers to provide — none offered the features, flexibility and above-all security that Moesif offers.

The Challenge of HIPAA Security

Since pVerify is all about determining patient eligibility for a medical service, much of their API data they deal with is super personal, such as DoB, medical condition, insurance plan specifics, etc. So when looking at technology partners, whether it’s in analytics or other SaaS vendors, a key requirement for pVerify is strong data security and access control.

Since the majority of SaaS vendors are designed as a multi-tenant solution, a healthcare company pVerify would be exposed to additional compliance risk making most consumer-grade SaaS a nogo. Yet to develop and deploy an on-premises or private cloud solution, Rob projected it would take his team of four developers six months and lot’s of time spent tweaking the data infrastructure. He’d rather purchase a turnkey existing analytics platform and have his devs build features that customers want to pay for.

Feature-Rich API Analytics for Healthcare Apps

Sharing Key Metrics In Embedded Dashboards Keeps Customers Happy

Once pVerify was able to analyze their date; see who was sending it, how much was sent, where it was coming from and what errors occurred; they shared it with their customers through Moesif’s embedded dashboards.

Quickly ID and Geofence Suspicious Actor

It’s completely pointless if you cannot pass your analytics data onto your clients. Embedded dashboards solved that for us.

Rob Dejournett, CTO, COO

Seamlessly Scaling a COVID Testing Company to 120K API Calls

Customers sometimes don’t inform pVerify ahead of time that they’re going to increase their API usage, even when they plan to dramatically scale their volume by 10x or 100x. When multiple customers scale usage at the same time, instance clusters could break. What’s needed is the ability to see who’s using pVerify, when they are using them and what types of volumes are to be expected.

Recently, pVerify found that a major group was using them every morning at 5am, with enormous volume and in a very short period of time. It turned out that a COVID testing company was regularly submitting 120K requests, having gone from the 10th or 20th largest customer, to one of the biggest during the pandemic.

By identifying this customer with Moesif’s help, pVerify was able to get additional resources for them and make sure their volume could be handled. Like many API companies, three to four of pVerify’s customers represent 50% of their volume. By segregating those high-volume users to their own instance clusters, everything’s become a lot more stable.

Geolocation Identifies Fraud

Keeping a tight lid on fraud and bad actors is even more important when you’re dealing with PHI. pVerify has observed that sometimes customers have shared their login credentials, perhaps unwittingly, and someone unauthorized has used their system. Through Moesif’s geolocation capability they’re able to quickly review where users are coming from on a global basis and turn off suspicious users coming from East Asia and Eastern Europe.

Share Actionable Insights With Your Customers

Leveraging Zero-Knowledge Security

Moesif’s Secure Proxy enables pVerify to gain zero-knowledge security with on-premises client-side encryption. With secure proxy, pVerify gained the privacy benefits of an on-premises installation, without the complexity of building and scaling the data infrastructure. Because it's a stateless Docker container, scaling is simplified.

With Bring Your Own Key (BYOK), not even Moesif employees can access the data. pVerify leveraged Moesif’s plugin with AWS Key Management Service (KMS) which handles key rotation automatically.

Secure Proxy from Moesif Maintains ePHI Confidentiality

By having data encrypted through the proxy, Moesif only deals with garbled strings of text. In my weekly vendor security audits when I’m asked ‘What are you guys doing with my data’, ‘Are you sending it offsite’, ‘Who are you sharing it with’, ‘How are you protecting it’, by having a secure proxy we’re completely secure. It’s a very unique thing,

Rob Dejournett, CTO, COO

Takeaways

Building HIPAA-compliant technology is complicated. Hiring devs who understand the moving goalposts of patient confidentiality and vendor requirements can be prohibitively expensive. With Moesif’s Secure Proxy Server your PHI remains secure at all times, even during analysis.

Moesif’s API Analytics Platform identified who was using pVerify’s APIs, at what time, by how much and from where. Through this data pVerify was able to: optimize their server clusters leading to a more stable solution, geofence nefarious users, and share data with vendors solidifying their relationships.