Giving Back With All You’ve Got

Volunteering icons

Compounding Your Wins

Volunteering your time is a powerful way to connect with your community. The great thing is that it can also be a great way to grow your professional network and promote your business at the same time.

While we all understand that giving back to your community has benefits, it’s also difficult to make time for giving in your work life. One effective way to make room for giving back is to use the skills which you already have. Giving back this way will allow you to leverage your existing skill set and compound the effects of your time.

There are a few ways in which Thrive Global Engineering is using our existing skill sets to give back to the community.

At Thrive Global we are working to use the skills that we already have as software developers to give back to a group who has always had access to the resources to learn about digital marketing for small businesses. 

How We Give Back at Thrive Global

Gratitude

The simple starting point of having gratitude can be a good place to start thinking about how you should give. What people and organizations have helped you get to where you are today? What skills are you grateful to have learned? And which skills have made the most impact on your life?

Taking stock of those skills would be a great place to start thinking about how your skills could have a positive impact on others. 

Reflect On Your Company’s Mission

All organizations develop core mission statements as a way to broadcast to everyone in the organization what your north star is. What direction you all should be pulling in. One way to compound your time would be to take your company’s mission statement and apply that to giving. 

Staying Close to Our Mission

Our entire organization at Thrive Global holds diversity, empathy, and direct communication as core values. 

Part of the mission of diversity is to make sure that we are doing everything we can to empower those groups who may not have had access to the tools which are driving our technology forward.  

We view giving back as not just a way to throw energy back into the system as gratitude but also as a way to put energy back into the system which will help grow the skills of those people who can help propel our mission forward.

Make Giving Less Overwhelming

Put It In Perspective 

How do you find to give back when you’re working so hard to move your company forward?

Trying to find a way to give back to your community can feel overwhelming. It’s often difficult to find a venue where your skills can help others. It’s hard to find the time to track down volunteering opportunities and doing the work itself is a challenge to fit in.

Leverage the Work You’ve Already Put In

One key to finding time to give back is to leverage the skills which you already have.

In his book, “Rework” Basecamp founder and CEO Jason Fried makes the great point that one key to start up a success is to compound your wins by also making the by products of your work products in themselves.

He was looking at things from a commercial point of view but the basic idea can also be applied to volunteering. Use the skills that you already have to compound the effects of your time. 

Reach Out

At Thrive Global we use a volunteering platform to take some of the effort and cognitive load off of giving back.

Goodera provides a platform for connecting those who have technical skills with those who need them. 

To find a volunteering opportunity which would be a good fit for our team, I scrolled through the list of options in the app and found a group called blackconnect.com. This group helps people who are looking to build their digital marketing skills match with people who have those skills. Bingo.

This is a great chance for us to give back. So, we got in contact and we’re starting to work together.

Figuring Out What You’ve Got

Assessing Your Skill Set 

Figuring out which of your skills would be the best way to give back depends somewhat on your field and your position, but the simple answer is that you can leverage pretty much anything you have expertise in.

The ways that you can give back might surprise you.

As members of the Tech community we get lost in our social media echo chambers and start to believe that if we’re not working on quantum computing then we don’t have much to give. But there are so many people out there who still do not have access to knowledge about some of the simpler ways that the internet can help them organize and promote their businesses. 

Finding Your Giving Opportunity

Should you start developing a website for a local small business owner? Design some product packaging for a florist in your town? Give a class on how to rank on Google in 2021?

Any of these would be great ways to give back and the more creative you can get with leveraging your skillset, the more you will find that you are compounding your time.

How We’re Giving Next

Taking Stock

One facet of leveraging your skillset is to periodically take stock of the effect that your work is having on your communities. Are there ways that you could be giving back better? Are there some ways that you think you are making an impact but in reality you’re really just reworking well explored paths that you or others have already taken?

Once you have a few experiences in volunteering with your skillset, take a moment to reflect and consider ways in which you could have an even deeper impact. 

Finding More Diverse Ways to Give Back

One thing that we are trying to do at Thrive Global is to find more diverse ways that we can give back. How can we leverage our skill sets even further to help out those who might benefit in ways which we aren’t even considering. 

How can we take your assumptions about who might benefit from the knowledge that we have and turn that on its head?

Maybe we could work with youth sports programs to show them how we use 20% time to practice our skills? Maybe we could work with writing workshops to show them how we use version control as an editing workflow? There’s tons of opportunities to reach out to “Non-technical” communities. 

Accelerate Your Network

These are a few of the ways that our team is working on giving back as we grow as an engineering team within a high growth organization.

The next post in this series will be a more specific post on how we are working with our volunteering partner Goodera and BlackConnect to create specific educational digital marketing content to help small business owners. 

Interested in learning more about how your engineering team can find volunteering opportunities? Or interested in how you can join our engineering team at Thrive Global?

Reach out to [email protected] and we’ll start a conversation. 

So you’re an engineer and you think you’re burned out?

You probably are. Now what?

Here’s the usual advice: sleep more, eat better, go outside, speak to your manager, etc.

Oh okay. Easy peasy, never mind, sorry I bothered you.

Tune in next week for a fascinating analysis on the benefits of static typing in cross functional teams working on modern polymonolithic systems.

Or we can get serious.

Sleep more? You’ve probably had days where you’re working three time zones, and sleep is the luxury that’s first against the wall. Good luck showing ‘restfulness’ progress at your standups. To make matters worse, that slice of pizza you grabbed before turning in (because there was no time for dinner) is now bloating your stomach and disrupting the few hours you managed to get, AND LETS NOT FORGET THE PAGERDUTY.

Eat better? By the time you’re finished with your 17th zoom meeting of the day your facial muscles are so sore from attentive smiling that you’re not sure you can even chew. Anyway, there’s nothing in the fridge and you were cooped up all day so couldn’t get to the store. More Pizza!

Go outside? Can’t. I’m on call. Need to stay near Wi-Fi. Also, pandemic or fires or bears or something. 

Speak to your manager about your concerns:

Outcome A:

Manager patiently listens to your concerns before explaining why they are invalid.

Outcome B:

Luxury! Manager responds to your concerns by sharing their personal experience.

Result:

No change.

Oh well then, what’s there to do?

Lots in fact. But first we must begin with a six step engineering wellness process. A runbook, if you will. Because make no mistake, this is a production level incident.

Step 1: Take a day off. PTO, sick day, it doesn’t matter what you call it. It doesn’t matter what you do or where you go (how about the opera?), but take a day. Wednesday is good, how about Wednesday? Under no circumstances open your work laptop on this day. In fact, don’t even have it out, tuck it away in a backpack and stuff it under your laundry.

Do not progress to Step 2 until you have completed Step 1.

If you were a union worker, crunchtime would be called overtime and you’d be fairly compensated. If you were an old-economy worker, crunchtime would entitle you to time in lieu, but you’re not, you’re an engineer, and “SOME AMOUNT OF OVERTIME IS TO BE EXPECTED”. Fine, reasonable, it happens. But it’s a two way street, isn’t some amount of recovery time to be expected also? We call it “Thrive Time”, but you can call it common sense (or self-respect).

Step 2: Adjust the permissions on your phone to reduce work notifications. You’ll find this setting under ‘Applications’, ‘remove’, ‘are you sure’, ‘yes’. I’m not sure why it’s called that but trust me that’s where it is. 

Your telephone is a maniacal device designed to deny you mindfulness, stoke your fears and render you dependent. That said, if you choose to use one personally that’s fine, but you should definitely break the connection between personal use and work use.

Oh but you need one for on-call? No problem, get that old Nokia out of your drawer, and have PagerDuty call you. I guarantee you it will be too boring to be distracting.

Step 3: Find something to complete. If you have too many things in flight you’ll constantly feel guilty for time spent on one and not another. Allow yourself the psychological win of actually completing something. It can be small, it can be tiny, but complete one work task at least each day.

Step 4: Pick a work task not to do. Go on, there’s definitely one there that doesn’t really need doing, at least not now. Find it, politely explain to the stakeholder that this task is being deprioritised, and take it off your board. You can do it.  (This does not count as completing something)

Step 5: (stolen from Arianna) CHOOSE A STOP TIME. What time are you finishing work today? You don’t know do you? So you keep working. PIck a time. Pretend you have tickets to the opera, Puccini, no late admissions, gotta go.

Now, not only are you regaining control over your own day, but as clock-out time approaches you’ll begin to relax with the confident certainty that the work day is over. You may even procrastinate less, since you have no reason to kill time.

Step 6: Practice saying the following words, out loud, in the mirror: “Interesting, why don’t you get back to me when you’ve got something more concrete?”. Focus on being cordial and showing genuine interest.

Step 6b: When next in a meeting about a project without clear purpose, deploy said phrase, then politely excuse yourself while examining your opera tickets and checking your watch.

Okay mitigation in place, now what about the RCA? How did this go wrong?

Sooner or later, you’ll have to admit that you dug yourself into this hole. Maybe it was with the best intentions, helping out an at-risk project, or making sure you shone the brightest when opportunity was in the air, but it was more your doing than anyone else’s.

Which means, it’s time for a little bit of everyone’s worst nightmare: self-reflection.

Let’s try just a little. Rewind your mind back three months, if you could change a few decisions you made then, what would they be? Is there still time to make them now? Is there a pattern to your behaviour that leads to this type of exhaustion? Could you get ahead of this pattern in future?

Allow me to share mine, it’s pretty simple: I get involved in too many projects because I find them all interesting and pigheadedly believe I have something valuable to contribute. Everything is going great until the time demands of each project begin to balloon simultaneously. My early work binds me to later work even though there’s no longer enough time to go around. I become stressed at constantly saying “not yet, I was working on x” until I find myself working non stop to close out the projects.

Solution A: Be involved in fewer projects. No thank you, I’ll get bored and also I’d like to advance my career.

Solution B: Don’t become involved in multiple projects that are at the same stage of development. Have an early stage project, a mid, a booming, a legacy. Better.

You try, can you find a pattern? Can you think of a solution that you can get behind? 

Daily Pragmatics

All of this is not to say that there aren’t really flaws in the way you, or your company work that leads to experiences like this.

The easiest one to consider is your work calendar. Take a look and ask yourself “How ‘in-control’ am I of this?” Are you scheduled to the hilt with sync meetings or is there space to think? Say no to some meetings, memento mori. Block out your time for the work you know you have to do, an empty calendar is an invitation for others to fill. How can you expect them to know not to?

Keep a folded up piece of A4/Letter paper next to your keyboard, along with a pen. Use it to scribble down todos when you think of them and cross them out when they’re done. Not only does this help with Step 4, but because you can page that task to disk as soon as it pops up you don’t stress yourself carrying it around in your anonymous memory. If you think you don’t need this because you have a fancy task app then you are hopelessly misinformed.

Bonus benefit is that you might actually do one of those TODOs the next time you’re waiting on a build, rather than meander to hacker news.

Lastly, consider if there’s a system or process or codebase that is a constant source of stress for you, is there something you can do about it? Some small personal optimisation that will grant you a feeling of control? Maybe it’s email filters, or simplifying some nasty code, or adding chaos testing to take the edge off of edge cases?

You are a human, operating machines in a machine-like organisation, so it is ultimately up to you to respect your biology, your psychology. Your uptime is as much a part of good system design as anything else.

— This article was entirely written by GPT-3 —

Security by Design – The Key to Achieving HIPAA Compliance

Achieving HIPAA compliance can be complicated and costly, and it can take a long time and drain resources. At Thrive Global, we were able to achieve HIPAA compliance within 5 weeks because our Engineering Platform team applied security controls at each step in the data journey and development process to significantly reduce security gaps and vulnerabilities.

This article explains how we accomplished this from a compliance perspective.

Thrive’s Software-as-a-Service (SaaS) platform provides well-being, mental resilience and productivity solutions to its customers’ employees. Because some of our customers are considered medical service providers under HIPAA, and their users may share data on our platform related to their mental well-being, we are considered a ‘business associate’ under HIPAA law and are required to comply with HIPAA regulations. This milestone of becoming HIPAA compliant demonstrates Thrive Global’s commitment to protecting the safety and privacy of our users and their personal data. HIPAA compliance enables our partners and other HIPAA covered entities to more effectively integrate into our platform so that we can continue to help improve the health and well-being of millions of people around the world.

How to Become HIPAA Compliant in 5 weeks

Many small and medium businesses often struggle with understanding whether they need to be HIPAA compliant. If they do need to be compliant, they don’t always know where to start or how to become so in a cost-effective manner.

The consequences of non-compliance can be severe in terms of new customer acquisition, potential fines and damage to reputation.

Lack of understanding of HIPAA regulations and lack of resources can make achieving HIPAA compliance a daunting task. Despite facing similar challenges at Thrive Global, we were able to achieve HIPAA compliance within 5 weeks by utilizing the secure platform that our Engineering team built and by simplifying the process.

The first step is to determine if you really need to be HIPAA compliant. If so, the next and most important step is to gain the support of your executive team. If you do not have the executive support, and your engineering team does not apply the principle of “security by design” the rest of the steps in this article will be challenging.

The following flow chart provides a high-level overview of the HIPAA compliance process.

A screenshot of a cell phone

Description automatically generated

What is HIPAA?

The U.S. Health Insurance Portability and Accountability Act (HIPAA) is the primary U.S. law governing the security and privacy of personal health information used by health insurance plans, medical providers, mental health professionals and their business associates.

What is protected by HIPAA?

  • HIPAA protects the sensitive health information that can identify an individual. 

PHI (Protected health information) is any individually identifiable health information relating to the individual regardless of the form in which it is maintained (paper, oral, electronic format, etc.).

Types of Organizations that are regulated under HIPAA

Covered Entity

The  original source of PHI that provides treatment, payment and operations in healthcare. 

Business Associate

A Person or entity that receives PHI from a covered entity or another business associate. 

What are the HIPAA Rules?

1. Privacy Rule — PHI disclosure rules. 

2. Security Rules — Standards to safeguard ePHI 

3. Breach Notification Rule — Must notify individuals & HHS within 60 days.

4. Enforcement Rule — How investigations are conducted. 

5. Omnibus Rule — It closed gaps in existing HIPAA and HITECH regulations. (Ex. Encryption Standards) 

HIPAA Privacy Rule 

These are  safeguards and protections for the disclosure of PHI from a people standpoint, which include:

Administrative Safeguards for the protection of PHI inside of the business

  • How we disclose/share data
  • How we educate new hires/contractors
  • How we store/retain PHI
  • How we handle breaches of data

The key to success in implementing this rule is to create the privacy policy and standards and to conduct a company wide training.

HIPAA Security Rule

This is the rule for the protection of PHI from an electronic standpoint which includes: 

Administrative, physical and technical safeguards for the protection of ePHI data processed and stored within the business infrastructure.

  • Ensure Confidentiality, Integrity and Availability of PHI
  • Protect data against physical disasters (fire, flood, etc.)
  • Protect data against unauthorized access

The key to successfully implementing this rule with minimal resources and costs is:

  1. Identify your champion from the Engineering group (Infrastructure/Platform and backend) and partner with them.
  2. .Ensure the following security safeguards are in place:

Administrative – Policies and procedures on how to comply with the security rule, such as:

  • Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Access Management
  • Security Awareness and Training
  • Security Incident Response Plan
  • Contingency Plan
  • Audit & Risk Assessment

Physical – The protection against unauthorized access, such as:

  • Door locks
  • Employee badges
  • Surveillance camera
  • Locked cabinets for records with PHI
  • Fireproof storage for records with PHI
  • Computer servers in locked rooms
  • Data backup stored offsite
  • Screensavers / screen locks

Technical – The protection of access and transmission of PHI, such as:

  • Access Control: Implement procedures to grant access where users have only the permissions necessary to do their jobs, logging and encryption 
  • Audit Controls: The detection of possible breaches, audit controls and trails to investigate file access and alterations.
  • Authentication Policy: Have policies and procedures in place to ensure that users accessing ePHI systems are the authorized users they say they are.
  • Data Integrity: ensure ePHI are secured against “improper alteration or destruction,” prevent unauthorized personnel from accessing the confidential information and making unauthorized changes.
  • Transmission Security: Implement technical security measures that protect ePHI in transit and at rest and ensure integrity after transmission.

HIPAA Breach Notification Rule 

Investigate, Mitigate, Document, Notify 

A Data Breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • The extent to which the risk to the protected health information has been mitigated.

If < 500 records:

  • Notify the impacted individuals and/or entities that a breach has occurred.
  • If there are >= 10 individuals that cannot be reached, it is  required to either post the breach on the website for at least 90 days or post on a major media outlet.
  • Notifications to individuals must be completed ASAP but not to exceed 60 days.

If > 500 Records:

  • Must notify the media.
  • Must complete the media notifications ASAP but not to exceed 60 days.
  • Must notify the U.S. Department of Health & Human Services (HHS) no more than 60 days after the breach occurs.

Process for Becoming HIPAA Compliant

Understanding the HIPAA requirements and knowing what to do about them are two different things. The flow chart shows a list of the actual actions you will need to take to reach a state of compliance. 

Access Control 

For the production environment (Network, DB, OS, Apps, DevOps, Developers, DBAs, SysAdmin) and Enterprise IT

  • Privileged Access 
    • Users and Admin listings with roles and permissions 
  • Authentication
    • Password or authentication setting
    • Account lockout settings 
  • Access Management
    • Policies and Procedures
      • Access Control
      • Information Security
      • Hiring and termination
      • Authentication

Availability

  • Data Backup
    • Offsite backup contract and invoices
    • Backup policies and procedures
    • Backup configuration and restoration test
  • BCP/DR – Contingency plan policies and procedures
  • Asset Management – Inventory list of all systems

Data and Change Management

  • Software Development – File integrity monitoring (FIM) configurations
  • Data Retention, Handling and Disposal
    • List of all data disposals
    • Data disposal vendor’s contract
    • Data Retention and Disposal policies and procedures
    • Media inventory
  • Data Classification
  • Removable media configurations

Monitoring & Incidents

  • Incidents
    • Notification, Response, and Resolution
    • List of data breach
    • Incident Response Plan
    • Breach Handling and Notification policies and procedures
  • Logging
    • Audit log settings for the Production environment
    • Access logs
    • Security logging policies and procedures

Management 

  • Resources
  • HR
    • Employee manual/handbook and code of conduct
    • List of employees (new hire, terminated, current, transferred)
  • Disciplinary/Sanctions Policy and Procedure
  • Workforce HR Policy & Procedures and Training

Risk Management

  • Risk Assessment and Audit
    • Risk assessment policies and procedures
    • Conduct annual risk assessment
  • Vulnerability Management 
    • Monthly scan
    • Annual penetration testing

Systems Operations

  • Encryption
    • Encryption configurations for data in transit and at rest
    • Encryption policies and procedures
  • Firewall
    • Network diagrams
    • Firewall/Router configuration policies and procedure
    • DMZ configurations
    • NAT
    • FW ruleset configuration
  • Malware Detection
    • Anti-virus policies and procedures
    • Configuration settings 
    • IDS/IPS configurations
  • Mobile Device Management
    • Inventory list of all mobile devices
    • List of all employee owned mobile device

Summary Tasks

  • Implement privacy and security policies, procedures and standards that are mapped to HIPAA.
  • Designate a security and privacy officer and committee.
  • Implement technical controls to encrypt, ensure data backup, retention, handling and disposal. 
  • Grant the minimum necessary access to PHI and disclosure.
  • Conduct effective security and HIPAA training.
  • Conduct internal auditing & risk assessment.
  • Enforce standards through disciplinary guidelines.
  • Implement logging and proactive monitoring.
  • Implement change management and mature incident response process.

The largest obstacle in achieving compliance is the implementation of technical security controls (step 3 above). If security controls have not been built into your environment, this step alone can take 6 months to 1 year to complete. Our ability to achieve compliance in 5 weeks was largely due to the fact that our engineering team had adopted a ‘security by design’ approach, and had built security controls directly into the platform.

Disclaimer

This article shares a simplified method for becoming HIPAA compliant that was successful for Thrive Global. The information shared in this article does not qualify as legal advice, and the author does not guarantee that following these steps will result in successful HIPAA compliance. Please consult with your company’s compliance, privacy, and legal teams. 

By Hanna Sicker – Director of Security and Compliance at Thrive Global

Welcome to the Thrive Global Engineering Blog!

So many of us on the engineering team joined Thrive because of its great mission and potential to help improve the lives of so many around the world. We’re a behavior change tech and SaaS company and through our platform we’ve brought together science, AI and storytelling to crack the challenge of changing human behavior to help people be healthier, more resilient and more productive.

This is our very first post and we’re excited to be launching. This blog is written by and for engineers. We wanted to create a space where we can share our experiences and insights on the latest technologies we are using, the systems we are building and the patterns that we are applying.

Thanks for reading!

Timur Lesov, Head of Engineering

Hugh O’Brien, Head of Infrastructure & Engineering Operations