So you’re an engineer and you think you’re burned out?

You probably are. Now what?

Here’s the usual advice: sleep more, eat better, go outside, speak to your manager, etc.

Oh okay. Easy peasy, never mind, sorry I bothered you.

Tune in next week for a fascinating analysis on the benefits of static typing in cross functional teams working on modern polymonolithic systems.

Or we can get serious.

Sleep more? You’ve probably had days where you’re working three time zones, and sleep is the luxury that’s first against the wall. Good luck showing ‘restfulness’ progress at your standups. To make matters worse, that slice of pizza you grabbed before turning in (because there was no time for dinner) is now bloating your stomach and disrupting the few hours you managed to get, AND LETS NOT FORGET THE PAGERDUTY.

Eat better? By the time you’re finished with your 17th zoom meeting of the day your facial muscles are so sore from attentive smiling that you’re not sure you can even chew. Anyway, there’s nothing in the fridge and you were cooped up all day so couldn’t get to the store. More Pizza!

Go outside? Can’t. I’m on call. Need to stay near Wi-Fi. Also, pandemic or fires or bears or something. 

Speak to your manager about your concerns:

Outcome A:

Manager patiently listens to your concerns before explaining why they are invalid.

Outcome B:

Luxury! Manager responds to your concerns by sharing their personal experience.

Result:

No change.

Oh well then, what’s there to do?

Lots in fact. But first we must begin with a six step engineering wellness process. A runbook, if you will. Because make no mistake, this is a production level incident.

Step 1: Take a day off. PTO, sick day, it doesn’t matter what you call it. It doesn’t matter what you do or where you go (how about the opera?), but take a day. Wednesday is good, how about Wednesday? Under no circumstances open your work laptop on this day. In fact, don’t even have it out, tuck it away in a backpack and stuff it under your laundry.

Do not progress to Step 2 until you have completed Step 1.

If you were a union worker, crunchtime would be called overtime and you’d be fairly compensated. If you were an old-economy worker, crunchtime would entitle you to time in lieu, but you’re not, you’re an engineer, and “SOME AMOUNT OF OVERTIME IS TO BE EXPECTED”. Fine, reasonable, it happens. But it’s a two way street, isn’t some amount of recovery time to be expected also? We call it “Thrive Time”, but you can call it common sense (or self-respect).

Step 2: Adjust the permissions on your phone to reduce work notifications. You’ll find this setting under ‘Applications’, ‘remove’, ‘are you sure’, ‘yes’. I’m not sure why it’s called that but trust me that’s where it is. 

Your telephone is a maniacal device designed to deny you mindfulness, stoke your fears and render you dependent. That said, if you choose to use one personally that’s fine, but you should definitely break the connection between personal use and work use.

Oh but you need one for on-call? No problem, get that old Nokia out of your drawer, and have PagerDuty call you. I guarantee you it will be too boring to be distracting.

Step 3: Find something to complete. If you have too many things in flight you’ll constantly feel guilty for time spent on one and not another. Allow yourself the psychological win of actually completing something. It can be small, it can be tiny, but complete one work task at least each day.

Step 4: Pick a work task not to do. Go on, there’s definitely one there that doesn’t really need doing, at least not now. Find it, politely explain to the stakeholder that this task is being deprioritised, and take it off your board. You can do it.  (This does not count as completing something)

Step 5: (stolen from Arianna) CHOOSE A STOP TIME. What time are you finishing work today? You don’t know do you? So you keep working. PIck a time. Pretend you have tickets to the opera, Puccini, no late admissions, gotta go.

Now, not only are you regaining control over your own day, but as clock-out time approaches you’ll begin to relax with the confident certainty that the work day is over. You may even procrastinate less, since you have no reason to kill time.

Step 6: Practice saying the following words, out loud, in the mirror: “Interesting, why don’t you get back to me when you’ve got something more concrete?”. Focus on being cordial and showing genuine interest.

Step 6b: When next in a meeting about a project without clear purpose, deploy said phrase, then politely excuse yourself while examining your opera tickets and checking your watch.

Okay mitigation in place, now what about the RCA? How did this go wrong?

Sooner or later, you’ll have to admit that you dug yourself into this hole. Maybe it was with the best intentions, helping out an at-risk project, or making sure you shone the brightest when opportunity was in the air, but it was more your doing than anyone else’s.

Which means, it’s time for a little bit of everyone’s worst nightmare: self-reflection.

Let’s try just a little. Rewind your mind back three months, if you could change a few decisions you made then, what would they be? Is there still time to make them now? Is there a pattern to your behaviour that leads to this type of exhaustion? Could you get ahead of this pattern in future?

Allow me to share mine, it’s pretty simple: I get involved in too many projects because I find them all interesting and pigheadedly believe I have something valuable to contribute. Everything is going great until the time demands of each project begin to balloon simultaneously. My early work binds me to later work even though there’s no longer enough time to go around. I become stressed at constantly saying “not yet, I was working on x” until I find myself working non stop to close out the projects.

Solution A: Be involved in fewer projects. No thank you, I’ll get bored and also I’d like to advance my career.

Solution B: Don’t become involved in multiple projects that are at the same stage of development. Have an early stage project, a mid, a booming, a legacy. Better.

You try, can you find a pattern? Can you think of a solution that you can get behind? 

Daily Pragmatics

All of this is not to say that there aren’t really flaws in the way you, or your company work that leads to experiences like this.

The easiest one to consider is your work calendar. Take a look and ask yourself “How ‘in-control’ am I of this?” Are you scheduled to the hilt with sync meetings or is there space to think? Say no to some meetings, memento mori. Block out your time for the work you know you have to do, an empty calendar is an invitation for others to fill. How can you expect them to know not to?

Keep a folded up piece of A4/Letter paper next to your keyboard, along with a pen. Use it to scribble down todos when you think of them and cross them out when they’re done. Not only does this help with Step 4, but because you can page that task to disk as soon as it pops up you don’t stress yourself carrying it around in your anonymous memory. If you think you don’t need this because you have a fancy task app then you are hopelessly misinformed.

Bonus benefit is that you might actually do one of those TODOs the next time you’re waiting on a build, rather than meander to hacker news.

Lastly, consider if there’s a system or process or codebase that is a constant source of stress for you, is there something you can do about it? Some small personal optimisation that will grant you a feeling of control? Maybe it’s email filters, or simplifying some nasty code, or adding chaos testing to take the edge off of edge cases?

You are a human, operating machines in a machine-like organisation, so it is ultimately up to you to respect your biology, your psychology. Your uptime is as much a part of good system design as anything else.

— This article was entirely written by GPT-3 —

Security by Design – The Key to Achieving HIPAA Compliance

Achieving HIPAA compliance can be complicated and costly, and it can take a long time and drain resources. At Thrive Global, we were able to achieve HIPAA compliance within 5 weeks because our Engineering Platform team applied security controls at each step in the data journey and development process to significantly reduce security gaps and vulnerabilities.

This article explains how we accomplished this from a compliance perspective.

Thrive’s Software-as-a-Service (SaaS) platform provides well-being, mental resilience and productivity solutions to its customers’ employees. Because some of our customers are considered medical service providers under HIPAA, and their users may share data on our platform related to their mental well-being, we are considered a ‘business associate’ under HIPAA law and are required to comply with HIPAA regulations. This milestone of becoming HIPAA compliant demonstrates Thrive Global’s commitment to protecting the safety and privacy of our users and their personal data. HIPAA compliance enables our partners and other HIPAA covered entities to more effectively integrate into our platform so that we can continue to help improve the health and well-being of millions of people around the world.

How to Become HIPAA Compliant in 5 weeks

Many small and medium businesses often struggle with understanding whether they need to be HIPAA compliant. If they do need to be compliant, they don’t always know where to start or how to become so in a cost-effective manner.

The consequences of non-compliance can be severe in terms of new customer acquisition, potential fines and damage to reputation.

Lack of understanding of HIPAA regulations and lack of resources can make achieving HIPAA compliance a daunting task. Despite facing similar challenges at Thrive Global, we were able to achieve HIPAA compliance within 5 weeks by utilizing the secure platform that our Engineering team built and by simplifying the process.

The first step is to determine if you really need to be HIPAA compliant. If so, the next and most important step is to gain the support of your executive team. If you do not have the executive support, and your engineering team does not apply the principle of “security by design” the rest of the steps in this article will be challenging.

The following flow chart provides a high-level overview of the HIPAA compliance process.

A screenshot of a cell phone

Description automatically generated

What is HIPAA?

The U.S. Health Insurance Portability and Accountability Act (HIPAA) is the primary U.S. law governing the security and privacy of personal health information used by health insurance plans, medical providers, mental health professionals and their business associates.

What is protected by HIPAA?

  • HIPAA protects the sensitive health information that can identify an individual. 

PHI (Protected health information) is any individually identifiable health information relating to the individual regardless of the form in which it is maintained (paper, oral, electronic format, etc.).

Types of Organizations that are regulated under HIPAA

Covered Entity

The  original source of PHI that provides treatment, payment and operations in healthcare. 

Business Associate

A Person or entity that receives PHI from a covered entity or another business associate. 

What are the HIPAA Rules?

1. Privacy Rule — PHI disclosure rules. 

2. Security Rules — Standards to safeguard ePHI 

3. Breach Notification Rule — Must notify individuals & HHS within 60 days.

4. Enforcement Rule — How investigations are conducted. 

5. Omnibus Rule — It closed gaps in existing HIPAA and HITECH regulations. (Ex. Encryption Standards) 

HIPAA Privacy Rule 

These are  safeguards and protections for the disclosure of PHI from a people standpoint, which include:

Administrative Safeguards for the protection of PHI inside of the business

  • How we disclose/share data
  • How we educate new hires/contractors
  • How we store/retain PHI
  • How we handle breaches of data

The key to success in implementing this rule is to create the privacy policy and standards and to conduct a company wide training.

HIPAA Security Rule

This is the rule for the protection of PHI from an electronic standpoint which includes: 

Administrative, physical and technical safeguards for the protection of ePHI data processed and stored within the business infrastructure.

  • Ensure Confidentiality, Integrity and Availability of PHI
  • Protect data against physical disasters (fire, flood, etc.)
  • Protect data against unauthorized access

The key to successfully implementing this rule with minimal resources and costs is:

  1. Identify your champion from the Engineering group (Infrastructure/Platform and backend) and partner with them.
  2. .Ensure the following security safeguards are in place:

Administrative – Policies and procedures on how to comply with the security rule, such as:

  • Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Access Management
  • Security Awareness and Training
  • Security Incident Response Plan
  • Contingency Plan
  • Audit & Risk Assessment

Physical – The protection against unauthorized access, such as:

  • Door locks
  • Employee badges
  • Surveillance camera
  • Locked cabinets for records with PHI
  • Fireproof storage for records with PHI
  • Computer servers in locked rooms
  • Data backup stored offsite
  • Screensavers / screen locks

Technical – The protection of access and transmission of PHI, such as:

  • Access Control: Implement procedures to grant access where users have only the permissions necessary to do their jobs, logging and encryption 
  • Audit Controls: The detection of possible breaches, audit controls and trails to investigate file access and alterations.
  • Authentication Policy: Have policies and procedures in place to ensure that users accessing ePHI systems are the authorized users they say they are.
  • Data Integrity: ensure ePHI are secured against “improper alteration or destruction,” prevent unauthorized personnel from accessing the confidential information and making unauthorized changes.
  • Transmission Security: Implement technical security measures that protect ePHI in transit and at rest and ensure integrity after transmission.

HIPAA Breach Notification Rule 

Investigate, Mitigate, Document, Notify 

A Data Breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • The extent to which the risk to the protected health information has been mitigated.

If < 500 records:

  • Notify the impacted individuals and/or entities that a breach has occurred.
  • If there are >= 10 individuals that cannot be reached, it is  required to either post the breach on the website for at least 90 days or post on a major media outlet.
  • Notifications to individuals must be completed ASAP but not to exceed 60 days.

If > 500 Records:

  • Must notify the media.
  • Must complete the media notifications ASAP but not to exceed 60 days.
  • Must notify the U.S. Department of Health & Human Services (HHS) no more than 60 days after the breach occurs.

Process for Becoming HIPAA Compliant

Understanding the HIPAA requirements and knowing what to do about them are two different things. The flow chart shows a list of the actual actions you will need to take to reach a state of compliance. 

Access Control 

For the production environment (Network, DB, OS, Apps, DevOps, Developers, DBAs, SysAdmin) and Enterprise IT

  • Privileged Access 
    • Users and Admin listings with roles and permissions 
  • Authentication
    • Password or authentication setting
    • Account lockout settings 
  • Access Management
    • Policies and Procedures
      • Access Control
      • Information Security
      • Hiring and termination
      • Authentication

Availability

  • Data Backup
    • Offsite backup contract and invoices
    • Backup policies and procedures
    • Backup configuration and restoration test
  • BCP/DR – Contingency plan policies and procedures
  • Asset Management – Inventory list of all systems

Data and Change Management

  • Software Development – File integrity monitoring (FIM) configurations
  • Data Retention, Handling and Disposal
    • List of all data disposals
    • Data disposal vendor’s contract
    • Data Retention and Disposal policies and procedures
    • Media inventory
  • Data Classification
  • Removable media configurations

Monitoring & Incidents

  • Incidents
    • Notification, Response, and Resolution
    • List of data breach
    • Incident Response Plan
    • Breach Handling and Notification policies and procedures
  • Logging
    • Audit log settings for the Production environment
    • Access logs
    • Security logging policies and procedures

Management 

  • Resources
  • HR
    • Employee manual/handbook and code of conduct
    • List of employees (new hire, terminated, current, transferred)
  • Disciplinary/Sanctions Policy and Procedure
  • Workforce HR Policy & Procedures and Training

Risk Management

  • Risk Assessment and Audit
    • Risk assessment policies and procedures
    • Conduct annual risk assessment
  • Vulnerability Management 
    • Monthly scan
    • Annual penetration testing

Systems Operations

  • Encryption
    • Encryption configurations for data in transit and at rest
    • Encryption policies and procedures
  • Firewall
    • Network diagrams
    • Firewall/Router configuration policies and procedure
    • DMZ configurations
    • NAT
    • FW ruleset configuration
  • Malware Detection
    • Anti-virus policies and procedures
    • Configuration settings 
    • IDS/IPS configurations
  • Mobile Device Management
    • Inventory list of all mobile devices
    • List of all employee owned mobile device

Summary Tasks

  • Implement privacy and security policies, procedures and standards that are mapped to HIPAA.
  • Designate a security and privacy officer and committee.
  • Implement technical controls to encrypt, ensure data backup, retention, handling and disposal. 
  • Grant the minimum necessary access to PHI and disclosure.
  • Conduct effective security and HIPAA training.
  • Conduct internal auditing & risk assessment.
  • Enforce standards through disciplinary guidelines.
  • Implement logging and proactive monitoring.
  • Implement change management and mature incident response process.

The largest obstacle in achieving compliance is the implementation of technical security controls (step 3 above). If security controls have not been built into your environment, this step alone can take 6 months to 1 year to complete. Our ability to achieve compliance in 5 weeks was largely due to the fact that our engineering team had adopted a ‘security by design’ approach, and had built security controls directly into the platform.

Disclaimer

This article shares a simplified method for becoming HIPAA compliant that was successful for Thrive Global. The information shared in this article does not qualify as legal advice, and the author does not guarantee that following these steps will result in successful HIPAA compliance. Please consult with your company’s compliance, privacy, and legal teams. 

By Hanna Sicker – Director of Security and Compliance at Thrive Global

Welcome to the Thrive Global Engineering Blog!

So many of us on the engineering team joined Thrive because of its great mission and potential to help improve the lives of so many around the world. We’re a behavior change tech and SaaS company and through our platform we’ve brought together science, AI and storytelling to crack the challenge of changing human behavior to help people be healthier, more resilient and more productive.

This is our very first post and we’re excited to be launching. This blog is written by and for engineers. We wanted to create a space where we can share our experiences and insights on the latest technologies we are using, the systems we are building and the patterns that we are applying.

Thanks for reading!

Timur Lesov, Head of Engineering

Hugh O’Brien, Head of Infrastructure & Engineering Operations