Halodoc is a digital healthcare company based out of Indonesia with a mission to simplify access to healthcare
Started in 2016, Halodoc connects patients with more than 20,000+ doctors, 4,000+ pharmacies, 2000+ hospitals, labs & clinics, and 20+ leading insurance partners through an easy-to-use mobile and web-based application. Halodoc is currently serving 20M monthly active users.
Halodoc’s technology, nimble services, and patient-focused approach have allowed them to enable a host of solutions, including 24×7 doctor teleconsultation, medicine purchase and delivery, laboratory services, hospital access, and appointments, emergency healthcare support, and other services to serve their customers better.
However, operating in the healthcare technology industry has its unique security challenges. Due to the sensitive nature of the customer data and other partners, bad actors are constantly looking for access points and exploiting other vulnerabilities. For Halodoc, one of the biggest needs was complete data security and governance, as it is critical to building and maintaining customer trust.
Moreover, due to the huge scale of operations, the sheer volume of different vendors who access the Halodoc system through various end-points mandates proper access management and also leaves a larger attack surface for attackers to target.
As Lenish Namath, VP of Technology, Cloud, SRE & Security at Halodoc, faced continuous multi-pronged attacks while setting up the Halodoc cloud infrastructure, he realized that they needed a partner to help simulate, predict, and respond proactively to these cloud-based security challenges.
“Cyber-attacks and hackers are getting smarter, leveraging automated tools to evolve their approach continuously. PingSafe understands an attacker’s mindset and strategy and can predict their patterns, which has been a great success for us. Also, it gives us better visibility across our complex cloud real estate.”Lenish Namath, VP of Technology, Cloud, SRE & Security at Halodoc
PingSafe were our thought partners to address cloud security challenges from the very early days of Halodoc
“Given Anand’s stature and reputation in the industry, it was a no-brainer to confer with him as we embarked on creating a secure-by-design cloud infrastructure stack for Halodoc. We wanted security to be a cornerstone of our design from day zero, enabling us to be proactive rather than reactive regarding security.” says Lenish.
“Once we had a framework of how we wanted to model our stack, we started exploring products to help with our security posture management and got introduced to the PingSafe cloud security platform.”
Halodoc, as many other cloud-native startups do, previously relied on cloud-native tooling for security posture management. But after doing a PoC with PingSafe and analyzing the results, Lenish’s team realized they could derive much more value by using PingSafe. PingSafe’s platform delivered near real-time scans and alerts. In one of the test cases, the EC2 creation was still in progress and PingSafe’s platform came up with an alert notification. Following this evaluation, Halodoc signed up with PingSafe to consolidate their multiple existing tools into a single context-aware CNAPP platform.
PingSafe continuously scans cloud assets to ensure no sensitive data remains open to public access
At the scale at which Halodoc operates, new PII data is continuously added to its cloud infrastructure. However, a single publicly exposed S3 bucket containing PII can be catastrophic for a health platform. This is where PingSafe’s platform comes into play. PingSafe continuously detects infrastructure misconfigurations in real-time, identifies public S3 buckets, and notifies the team via Slack and other integrations about these alerts.
Halodoc’s Director of Engineering, Manivannan Chandrasekaran, adds, “A young startup growing exponentially like Halodoc also needs to be very agile and nimble while using the best cloud services available. These new services also need to be configured properly to manage the overall security posture. PingSafe’s platform provides one of the widest coverage options across various domains within the cloud infrastructure. And we get alerted about new vulnerabilities via the Threat Center within the PingSafe platform as PingSafe’s elite security researchers add them.”
PingSafe with its context-aware platform has significantly reduced the number of false positives
“Apart from having more comprehensive checks as compared to the cloud-native solutions, PingSafe’s platform has very minimal false positives. This allows us to focus our developers and security team’s efforts to work on the most critical alerts and remove these vulnerabilities. Added to that, the attacker path analysis capability, which imitates how an attacker can traverse within our cloud assets helping us triage the issue quickly, and we have a very powerful platform to keep our cloud infrastructure secure” says Manivannan.
Halodoc reported almost 80% accuracy in threat detection and alerts, after employing PingSafe which is significantly above the industry standard. Moreover whenever an issue is reported to be false positive, PingSafe actively works to add the logic to the platform so that similar issues are not highlighted again for Halodoc.
“PingSafe helped us build, scale and secure our cloud infrastructure infrastructure. Our next steps are to work with them toward a shift-left security strategy and build a threat center for critical vulnerabilities.“Manivannan Chandrasekaran, Director of Engineering at Halodoc
PingSafe allows us to continuously monitor our compliance posture via a dedicated dashboard and integrations into Slack and JIRA allows easy communication across the teams
The Healthcare industry is heavily regulated, with companies required to follow multiple compliances, including HIPAA, SOC2, and others. Managing detailed compliance requirements can prove to be a hassle for even the largest players in the industry. PingSafe’s compliance dashboard, which provides a single pane of glass view for most well-known compliance standards like HIPAA, ISO, SOC2, MITRE, NIST, etc., allows Halodoc to maintain compliance across these standards.
Lenish adds, “PingSafe’s compliance dashboard provides a unified view of our compliance posture, down to the minutest details. For example, we can double-click into a specific standard to identify which section of a compliance standard we are non-compliant against and which assets we need to safeguard to be fully compliant. Add to that the visibility which we get across our cloud estate via PingSafe, and it becomes very easy for us to remain compliant.”