A better way to see a doctor
Heal is founded on the premise that healthcare should be more patient-friendly. The company develops the On Call application to facilitate its on-demand service, sending doctors to people’s homes within two hours.
A mobile, HIPAA-compliant customer app
To comply with HIPAA in its mobile, 100% cloud environment, identity management is critical. Rather than build authorization for On Call themselves, the company uses Stormpath APIs. When Stormpath and Okta unite, transition to Okta is seamless.
Unified identity across the network
With a single identity partner for partners, customers, and devices, connecting patients and providers through mobile devices becomes efficient and secure. The result: Radically improved healthcare for thousands of patients in a growing number of markets.
100% cloud solution for employee SSO
After dealing with manual account provisioning and deprovisioning for internal cloud applications, Heal deploys Okta Single Sign-on and Lifecycle Management to unify and automate account access.
Partner for a mobile future
Heal expands its reach through enterprise partners, providing healthcare services for Google employees in L.A. With Okta leading the way as new platforms and authentication and authorization methods develop, Heal can focus on growing its business.
Because we are able to seamlessly connect our patients and providers, doctors don’t have to fumble through 50,000 things to figure out what your chart looks like. It’s sitting on their iPad, securely inside a provider tool. All they are doing when they are in your home is providing care.Rish Tandon, CTO, Heal
A better way to see a doctor
Sometimes industry innovation and disruption is a little about technology, and a lot about plain old common sense. Sometimes, even, changing an industry in a radical way has to do with going back to a simpler age, when people connected on a more basic, human level, without the layers of bureaucracy and technology that exist today.
For Heal, that is certainly the case. The company was started in 2014 by a doctor-technology entrepreneur couple in Los Angeles, who decided there had to be a better way for young families to deal with healthcare emergencies. After a particularly frustrating trip to the emergency room with their son, they decided to create a new kind of healthcare company.
“Heal is essentially an on-demand service where we send doctors to people’s homes,” says Rish Tandon, the company’s CTO. “You can get primary care in the comfort of your home within two hours, at the same rate that you would get it at a doctor’s office.”
To enable this patient-focused care, the Heal team developed a mobile platform they dubbed “On Call,” which connects patients and doctors, and helps patients avoid emergency rooms and long wait times. The company also adopted best-of-breed tools for medical providers to view and record patient records, keep track of supplies, and deal with paperwork.
As a result of this combination of cutting-edge technology and personalized care, Heal doctors spend, on average, 24 minutes with patients, compared to five or ten minutes in a clinic. “When our doctors walk in, they already have access to all of your prior healthcare information,” says Tandon. “It’s sitting on their iPad, securely inside a provider tool. They don’t have to make you sign multiple forms or ask you for consent. All they are doing when they are in your home is providing care.”
Forming long-term relationships with patients is key to the Heal mission, and they do it by making the experience personal, as well as completely seamless. “It’s 100% digital,” says Tandon. “No paper forms to sign. Everything is done through the app and through the mobile web or through your desktop’s app, at the tips of your fingers.”
The strategy is working. From starting with a few house calls in 2015, the company has grown to serve multiple markets, as well as enterprise partners, such as Google. “We’ve done more than 40,000 house calls to date, for more than 30,000 patients,” says Tandon.
The lack of walls, both for doctors’ offices and for on-prem technology infrastructure, saves millions of dollars, he says, “to the extent that, for some of our partners, if you use a Heal doctor there is no co-pay.” Doctors carry everything they need in their cars, including medical kits and refrigerators storing flu vaccines. Those mobile clinics are so connected that providers can see the temperature of vaccines in real time.
HIPAA-compliant identity needs
From a records and data privacy standpoint, healthcare is increasingly complicated. “It goes way beyond securing personal identifying information,” says Tandon. “We have to ensure that, when it comes to our patients, their records are completely safe. Identity plays a very important role in that.”
“There are two or three key principles that we have used to build our technology stack,” he says. Core IT systems, such as the On Call app, are part of Heal’s reason d’être. Its IT staff builds them from the ground up.
“Then, there are areas where we think open-source serves as well,” says Tandon. Messaging and real-time conferencing between patients and providers fall into this category.
“But then, there are certain key areas where we know that we not only require the technical expertise, but we need our partners to go way beyond that,” he says. Identity falls into this last category. “You have to do multi-factor authentication. You have to integrate with a lot of different partners. You have to curb fraud. We wanted a very strong partner to help us with all of these areas.
From Stormpath to Okta: A smooth transition
Initially, when the team built On Call, they used an in-house identity solution. “We very quickly realized that we would not be able to keep up with the needs we had in terms of securing patients’ identities, and also be able to do things like single sign-on with partners,” says Tandon.
After evaluating their options, the team built the app using Stormpath APIs. Then, in 2017, Stormpath and Okta joined forces. “We had a good outcome with Stormpath,” says Tandon, “and in our tests, we saw that we were getting the same outcomes with Okta. It didn’t make any sense for us to go to a different provider.”
The team worked closely with Okta to export data from the Stormpath database into the Okta environment. “We were able to recreate every single role that we had in the Stormpath realm, inside the Okta realm,” he says. “It was one of the most seamless vendor transitions I have ever seen.”
In about two weeks, the team moved all their account data into Okta to manage user registration, sign-on, and forgotten passwords. Okta protects the APIs that connect On Call to Heal partners as well, managing delegated authorization and access for them.
Because the Stormpath SDK had been updated to talk to the Okta realm, few manual changes were required. Heal apps could talk to Stormpath, just as they had before. “Over time, because we wanted the latest features of the Okta platform, we have purposefully transitioned ourselves to call the Okta APIs directly,” says Tandon.
Tandon is a big fan of Okta’s Customer First Team. “We had the best developer support that I would ever imagine,” he says, “to the extent that there was one small area where we were stuck, and we had an Okta developer help us out, who could validate decisions with us.”
Back to the beginning: Employee single sign-on
Since the transition, Tandon’s team has had “zero production issues,” he says. That’s a pretty big deal.” Tandon then expanded on Heal’s success with Okta to improve the employee access experience with the Okta Integration Network and Single Sign-On.
“Until about eight months back, identity at Heal for internal corporate employees was super frustrating,” says Tandon. “Everybody had to remember different passwords for each of the tools they used, such as Zendesk, G-Suite, and RingCentral. If somebody was to come in or leave, provisioning their identity was a pretty daunting task. Somebody had to manually turn off access into each of the individual systems.” For a growing company with many contractors, that was a problem.
“It made sense for us to go with a provider that allowed us to unify all of those things,” says Tandon. In their second year of operation, after evaluating identity providers with many connected apps, Heal IT deployed Okta Single Sign-On, Universal Directory and Lifecycle Management.
Unified identity management across the network
Today, Heal has a single identity partner for employees, partners, customers, and devices. To help secure patient health information, the company created two completely separate realms in Okta's Universal Directory--one for identities with authorized access to HIPAA data, and one for those without that authorization.
At the same time, says Tandon, “we were able to build federation through Okta tools, so that one realm could authenticate for the other one.” That unified approach helps the company ensure strong authentication across all of its services, throughout its extended network.
Heal doctors offer an example of how identity management works across the company now: The On Call app is their hub, and identities for that application are hosted in Heal’s HIPAA-compliant Okta cell. Doctors also carry an iPad with other third-party apps on it, which they use to take notes or look up information. “As much as possible, we use the same identity to log in to those other apps,” says Tandon. “We encourage our partners to provide us with a SAML integration whenever possible, so that our doctors don’t have to switch between multiple identities. It saves time, it’s super-efficient, and it’s secure.”
Because we are able to seamlessly connect our patients and providers, doctors don’t have to fumble through 50,000 things to figure out what your chart looks like, or what has been done to you before.
“Because we are able to seamlessly connect our patients and providers, doctors don’t have to fumble through 50,000 things to figure out what your chart looks like, or what has been done to you before,” says Tandon. “It doesn’t matter which doctor sees you. They always have access to the same information.”
As members of the non-HIPAA-authorized UD realm, Heal administrators have nothing to do with patient information—a bonus which has both operational efficiency and privacy implications. “Okta helps us be HIPAA compliant … largely because we don’t have to go in and manage and maintain the identity of our customers,” says Tandon. “We trust Okta to do it.” With Okta managing identity, IT can focus on what it does best—matching patients and doctors.
Backed by secure, mobile technology
Today, Heal provides healthcare services for all of Google’s employees in L.A., and is in talks with other enterprise partners to expand that part of the business. “Okta has definitely helped us grow,” says Tandon. He feels confident, walking into meetings with a potential enterprise partner knowing Heal can integrate seamlessly with their existing healthcare systems and provide a better patient experience for employees. “We know that the technology backing us is great enough that it will just work,” he says.
What gives him the confidence that mobile doctors carrying patient health information around on iPads is a safe, secure strategy? If an iPad is lost in the field, the team can wipe it using their mobility management technology, Air Watch. And for additional security, by having a single identity, Okta allows IT to immediately remove access to every app from a remote location. “That goes a long way in allowing us to stay compliant,” says Tandon.
Tandon’s team uses Lifecycle Management to automate account provisioning and deprovisioning, which helps take human error and time delays out of the equation. Within Universal Directory, Heal administrators can clearly define employee and partner roles and access, and apply those across the company’s application network automatically. When someone leaves the company, their access is revoked in one step.
Okta’s Java SDK allows Heal to offer the same security to customer devices as it does to the company’s iPads. “We want our customers to be able to seamlessly log in to the app. We also want them to retain that login for a period of time, so they don’t have to re-authenticate themselves over and over,” he says. At the same time, “if their phone is lost, we want to take away that access so that nobody can access their personal records. We use Okta’s mobile SDKs to enable those scenarios.
Partner for a platform-agnostic future
The Okta interface also allows the Heal team to completely customize their work, so that On Call is a consistent, Heal-branded experience from login to sign-off. “Nobody knows that we are leveraging Okta underneath,” says Tandon.
“It’s becoming more and more evident that our customers access us through our mobile platform a lot more than through the desktop,” he says. He looks forward to the rise of password-free authentication methods, such as touch ID and face ID, and he hopes to see HIPAA-compliant iMessaging soon, as well as compliant ways of identifying customers through devices such as Google Home or Alexa.
“That was another reason to choose a forward-looking vendor,” says Tandon. “As these scenarios in identity are enabled by Okta, we don’t have to do any of the heavy lifting of figuring out how to do this. We’re just on the bandwagon, and we get it.”
With Okta, the Heal team can remain laser-focused on their core application technology, iterating quickly to meet the demands of patients and doctors, while keeping private health information secure.
Tandon looks forward to a world in which Heal appears on every platform where someone can order a physician. “We rely on Okta through all of these scenarios,” says Tandon. “Having a single identity provider that can help us do that is amazing.
Heal is an on-demand healthcare provider based in Los Angeles, with doctors who provide care in the comfort of patients’ homes. With its On Call app, patients can schedule appointments from any device and see a primary care physician within two hours. Since conducting its first house calls in 2015, the company has expanded to cover four California markets plus Washington D.C