When you're responsible for managing the personal data of millions of people, simply thinking "it's secure" simply won't cut it. That's precisely why we engage ethical hackers every year to actively try and breach our CustomerConnect platform. And yes, without fail, they always manage to find something.

‍

That might sound alarming, but that’s entirely the point. What separates a truly secure organisation from one that isn't? It's not about pre-empting every conceivable vulnerability—that’s just a digital fantasy in our complex world.

‍

The true difference lies in how rigorously you approach security, how proactively you hunt for weak spots, and how swiftly you rectify them when they surface.

‍

The weight of processing sensitive data

‍

Harmony CustomerConnect serves, among other things, as the central nervous system for communication between major Dutch health insurers and their policyholders. Other major firms, like the Dutch Postcode Lottery, also rely on the platform.

‍

We don’t take that level of trust lightly. When organisations hand over data to us via secure channels, they need to have implicit faith that we will protect that information as if it were our own most sensitive corporate secrets.

‍

How do you put a complex ecosystem to the test?

‍

CustomerConnect is a sophisticated platform: it liaises with external service providers, processes structured data from client back-office systems, and is accessible via a secure web interface with modern authentication.

‍

A system this intricate can't be tested with a bog-standard checklist. That's why we partner with specialist external penetration testing (pentest) firms. They meticulously scrutinise the entire platform using internationally recognised methodologies, such as the Pentest Execution Standard (PTES) and the OWASP Testing Guide.

‍

Multiple testing perspectives

‍

We test our platform from various angles to build the most comprehensive picture possible of our security posture:

‍

• The Outsider: Pentesters initially only receive publicly available information—mimicking the resources a malicious actor would have. No login details, no background on the architecture. The question is simple but stark: can someone from the outside break through our defences?
  ‍
• The Insider Threat: In a subsequent phase, pentesters are given legitimate access rights, comparable to a regular platform user. This simulates a compromised account or a malicious insider. The crucial question here is: are our different client environments genuinely segregated? Can a user from Company A gain access to Company B’s data? Are users strictly limited to their appropriate permissions?
  ‍
• Configuration Review: We commission a thorough review of our configurations and our connections with external service providers. How do we transmit data to our partners? Are our connections correctly secured? Are we deploying the appropriate encryption standards for all data transfers? These reviews don’t involve active penetration but are equally vital. An incorrect configuration can lead to a data breach just as easily as a flaw in the code itself.
  ‍

What We Find (and How We Action It)
‍

Every year, a penetration test yields findings. These range from vulnerabilities demanding immediate attention to 'best practice' recommendations that simply further strengthen the security posture.

‍

The key takeaway isn't if findings appear—they always will—but how you address them. At Harmony Group, we maintain a stringent remediation roadmap.

‍

A concrete example of our process: when a significant finding is confirmed, it is allocated to our development team’s sprint within a matter of days. We then schedule a mandatory retest to validate the fix. The final report is only officially closed once that retest gives an approving result.

‍

This speed of action is non-negotiable. A vulnerability you are aware of but fail to resolve is, in essence, a conscious decision to carry risk. And that fundamentally contradicts the responsibility we hold for the data of millions of policyholders.

‍

Certifications: More Than Just a Piece of Paper

‍

Penetration tests are just one element of a much wider security framework. Harmony Group holds certifications for two critically important standards:

‍

• ISO 27001: This is the global standard for Information Security Management. It outlines what organisations must have in place to handle data safely: policy, procedures, technical controls, access management, incident handling, and risk analysis. ISO 27001 certification forms the essential baseline for any software provider handling business-critical data.
  ‍
• NEN 7510: This is the specific Dutch standard for information security management in the healthcare sector. It was developed to support healthcare institutions and their suppliers with the secure processing of patient data, adding extra, stringent requirements derived from Dutch law and the exceptional sensitivity of medical records.
  ‍

Beyond these certifications, we also have an independent assurance statement prepared by an accountant. This confirms that we don't just have documented procedures; we actively execute them. The accountant verifies that our control measures function exactly as intended in a real-world setting. It’s the difference between saying "we do it" and being able to prove "we've done it."
‍

For our clients, who often have stringent compliance demands of their own, these certifications and assurance reports are a vital source of trust.
‍

Security Is a Team Sport

‍

Security is not the sole domain of one individual within our organisation. At Harmony Group, it’s a genuine collaboration across multiple disciplines:

‍

• Our CustomerConnect Team handles the day-to-day development and management of the platform. They are intimately familiar with every function, every integration, and every data flow. When a finding comes in, they are the ones who design, implement, and test the fix.
  ‍
• Our Security & Privacy Officer coordinates the pentests, assesses findings from a risk perspective, and ensures the remediation roadmap is strictly adhered to. This role also oversees compliance with ISO 27001, NEN 7510, ISAE 3000, and other relevant regulations such as GDPR.
  ‍
• Our Infrastructure Partners provide the underlying cloud environment, network segmentation, firewalls, and all other infrastructural security layers. Many modern attacks target the infrastructure itself, not just the application. These partners must meet security standards that are at least as demanding as our own.
  ‍
• And, of course, the External Pentest Partner who scrutinises the entire picture with an independent, highly critical eye.
  ‍

This multidisciplinary approach ensures we view security not just as a technical hurdle, but as an organisational responsibility that involves every single person.

‍

Transparency as the bedrock of trust
‍

We could easily have written this piece without mentioning that vulnerabilities are ever found. We could simply settle for external communication stating, "we are ISO certified and carry out the necessary pentests," without offering any detail. We choose not to do that.
‍

The reality is that every complex software system contains vulnerabilities. The right question isn't whether you have them, but whether you can find them before malicious actors do. And once you find them, do you then act quickly and effectively?

‍

By being upfront about our security approach—including the fact that we find vulnerabilities and then resolve them—we hope to build trust, not undermine it. Because genuine security is not a marketing slogan; it is a profound, continuous commitment.

‍

For any organisation considering using CustomerConnect, this is perhaps the most critical signal: we take security so seriously that we actively hunt for issues, have it rigorously tested externally, and are transparent about our methods. That is fundamentally different from organisations that only take action after an incident has already occurred.

‍

Finally: security is never 'done'

‍

There will never be a time when we can confidently declare: "CustomerConnect is now 100% secure; we can stop." Security is not an endpoint; it is a process. A perpetual cycle of testing, learning, improving, and testing again.

‍

What we can promise is this: we take this responsibility with the utmost gravity. We invest in pentests, certifications, training, and tooling. We are fully transparent in our approach. And we move with speed and decisiveness when action is required.

‍

For the millions of people whose data is processed via CustomerConnect, for the clients who place their faith in us, and for the service providers we work alongside: that commitment is our unwavering promise.

‍

Want to know more about how CustomerConnect makes communication between businesses and clients safer, more efficient, and more reliable? Discover our client communication solutions.

‍

When digital transformation (DX) processes are difficult, this is certainly not always due to technical or budgetary restrictions. In fact, when we search for data points, we've recently seen that only 35% of companies worldwide achieved their DX goals (BCG, 2021) — a sobering figure that shows that a fundamental piece is often missing.

‍

This missing piece? Sometimes this is a thoughtful and proven process approach. Because organizations that do succeed make a smart combination of technology and recognized process optimization methods such as Lean, Six Sigma, Agile and Design Thinking.

‍

What is digital transformation really?

‍
Digital transformation is more than implementing new technology. It's a fundamental review of how organizations create value, supported by digital tools.

‍

It's about:

‍

• Process automation
• Data-driven decision making (which is crucial, as 73% of consumers expect improved personalization as technology advances, Salesforce, 2024)
• New (digital) customer interactions
• Innovative business models
  ‍

But without a clear process approach, digitization can lead to accelerated chaos instead of measurable improvement.

‍

The power of process methods in DX

‍

Here's how proven methodologies add value to digital projects:

‍

1. Lean: Eliminate waste before digitizing

‍

Lean focuses on eliminating waste and maximizing customer value. In digital processes, Lean helps to identify inefficient processes before they are automated.

‍

• Value Stream Mapping to discover bottlenecks and waiting times.
• Focus on a culture of continuous improvement (Kaizen).
• Minimizing unnecessary steps in digital workflows

Achieve companies with effective change management programs (a pillar of Lean and Agile) medial 143% of expected ROI (McKinsey).

So clean up first, then digitize!

‍

2. Six Sigma: Ensuring Quality and Consistency

‍

Six Sigma is focused on reducing variation and improving the quality of the end product. By using data analysis and the DMAIC (Define, Measure, Analyze, Improve, Control) cycle, digital processes can measurable and sustainable are being improved.

‍

• DMAIC apply to digital workflows to eliminate errors and rework to reduce.
• Data-driven approach: Organizations that implement Six Sigma correctly see on average, a return of $230,000 per project and an ROI of 4.5 to 6 times on their training investment (Sixsigma.us).
  ‍

3. Agile & Design Thinking: Flexibility and People Focus
‍

• Agile ensures rapid iteration, continuous feedback and collaboration between teams, which is essential in the rapidly changing digital world.
• Design Thinking puts the end user first and helps design intuitive digital solutions. The goal: better adoption.
  ‍

Companies that use Design Thinking focus on understanding user needs. This is crucial because 41% of organizations invest in DX without properly examining their customer needs (Prophet, 2019), which often leads to adoption disappointment.

‍

The consultant as strategic process director

‍

As a consultant, you can use these methods strategically in each phase of a digital transformation process:
‍

Regardless of the role you play in the digital transformation project where you are working as a consultant, it is always interesting to keep the above process methods in mind.

‍

• Lean: try to identify the processes that your project has an impact on and identify waiting times and unnecessary steps.
• Six Sigma: view the product delivered by the project you are working on, what is the amount of rework there? What is the quality of the end product? Does each product have the same level of quality (variation)?
• Design Thinking: make use of Design Thinking techniques when you attend workshops that look for solutions.
• Agile: An agile way of working ensures rapid development of the certain solutions, and rapid feedback loops also help with rapid deliveries.

‍

Practical example: the HR app implementation

‍

Imagine: as a Digital Transformation consultant, you supervise the implementation of a new HR app (paysheet, absences, etc.).

‍

• Lean: You start with a Value Stream Map of the current process. You discover two redundant approval steps and four days of waiting time in the leave application process. These steps are eliminated before digitization.
  ‍
• Six Sigma: During the test phase, you analyze data. You note that 15% of applications are submitted incorrectly due to confusing input fields. You apply the DMAIC method to analyze the source of error, improve the interface and reduce the error rate to less than 5% (the Six Sigma Standard).
  ‍
• Design Thinking: You organize workshops with the end users to co-create the interface. By using personas and Journey Mapping, you design an app that is intuitive, which means adoption accelerates by 25% in the first month.
  ‍
• Agile: You're using Scrum. Each sprint provides a working element. User feedback from last week will be incorporated into the next sprint, so that the solution perfectly meets the need.

‍

Conclusion

‍

Digital transformation is not a goal in itself, but a means of creating measurable value. Integrating Lean, Six Sigma, Agile and Design Thinking enables consultants to:

‍

1. Avoiding waste (Lean).
2. Guaranteeing quality and ROI (Six Sigma).
3. Achieve higher user adoption (Design Thinking).

‍

In short: Optimize first, then digitize. Only then can you achieve sustainable change, satisfied customers and measurable impact.

‍

The healthcare sector faces immense challenges. An ageing population, rising costs, and acute staffing shortages demand fundamental change. The solution lies not only in more hands-on care, but also in smarter processes and effective use of technology. This is where the power of apps and applications in healthcare becomes indispensable.

‍

But how do you navigate, as a CIO, IT manager, or architect, through this complex landscape of technological possibilities? Which use cases are most relevant for your organisation, whether you're active in community care, mental health services, acute hospital care, or public health?

‍

In this article, we dive into the world of digital transformation in healthcare. We explore concrete applications of digital solutions, the strategic role of low-code platforms, and how to build a robust IT architecture that enables innovation. This is your guide to embracing digitalisation and building tomorrow's healthcare system.

‍

The Business Case for Digital Transformation

‍

Digitalisation in healthcare is not an end in itself, but a means to improve patient care and make organisations future-ready. For CIOs and IT managers, the business case is clear: investing in the right technologies leads to operational efficiency, higher patient satisfaction, and an attractive working environment for healthcare professionals.

‍

Accelerating Innovation with Low-Code and No-Code

‍

One of the biggest obstacles to innovation in healthcare is speed. Large Electronic Health Record (EHR) systems are complex, implementation takes time, and bespoke solutions are costly. This sometimes leads to the emergence of 'shadow IT', where departments independently use non-approved software tools or AI applications to get their work done. This brings security risks.

‍

Low-code and no-code platforms offer an elegant solution. These platforms enable us to build applications faster and more efficiently in a visual environment. Think of an app for registering new patients or a tool for scheduling facilities management. Because this happens within one central system, control is maintained whilst innovation is stimulated. It's a powerful way to accelerate digital transformation in healthcare and develop a toolkit that seamlessly aligns with the reality of healthcare workers.

‍

The Importance of Robust IT Architecture

‍

Successful applications stand or fall on their integration into the existing IT landscape. Many healthcare organisations struggle with a patchwork of systems that don't communicate with each other. Creating robust IT architecture is therefore the first step. This includes choosing the right integration platform, setting up an effective API management strategy, and adhering to data standards (such as HL7 and FHIR). This ensures seamless data exchange in healthcare and makes it possible to connect new apps to existing systems.

‍

Additionally, cybersecurity is an absolute top priority. With the increase in digital data and applications, the risk of data breaches also increases. Sound IT architecture therefore includes strict protocols for privacy and security, in line with GDPR. The IT architecture is the foundation upon which all digital innovations are built.

‍

Case Studies and Success Stories from Practice

‍

Theory is fine, but practical examples speak volumes. We see healthcare institutions across Europe taking the step towards digitalisation with impressive results.

‍

Case Study 1: Smart Community Care App

‍

A large Amsterdam-based community healthcare trust struggled with excessive administrative burden for community nurses.

‍

Through developing a low-code app, specially tailored in consultation with nursing staff, the situation changed radically. From many separate apps that each offered "part" of the solution, they moved to one overarching "super app" containing all appointments, tasks, and various notes.

‍

Community nurses now view their optimised routes via the app, can create reports directly at the patient's home, and manage tasks seamlessly. The result? A reduction in administrative burden, less switching between apps, and therefore an increase in time with patients, resulting in higher staff satisfaction and better patient outcomes.

‍

Case Study 2: Comprehensive App Ecosystem in Hospital Care

‍

Hospital da Luz, one of the largest private healthcare groups in Portugal, struggled with fragmented digital healthcare services that forced patients to switch between multiple systems.

‍

Through developing a complete digital ecosystem using low-code technology, the hospital transformed into an integrated app landscape of 28 different digital innovation initiatives.

‍

The core of this is the patient app, but the hospital also developed specific applications for various care processes:

‍

• Remote monitoring via wearables: Healthcare professionals can now remotely monitor patients by synchronising data from wearable devices via GoogleFit and HealthKit to the app, including heart rate, blood pressure, sleep, and body temperature.
• Telephone triage: A 24/7 telephone triage system operated by specially trained nurses that within three months of launch was handling 4,000 patient calls per month.
• Central Clinical Record: A specialised application that gives healthcare professionals an integrated overview of clinical patient data from multiple specialities and systems, crucial for complex pathologies.

‍

The result is an ecosystem serving over 1.3 million people, where 70% of all doctors allow online appointments and online bookings increased by 400%. By consolidating all systems on one low-code platform, the hospital can quickly add new functionality and has positioned itself as a leader in digital healthcare delivery.

‍

Quick Takeaways

‍

• Efficiency is key: Apps reduce administrative burden and create more time for direct patient care
• Low-code accelerates innovation: Platforms enable healthcare institutions to build bespoke applications quickly and flexibly
• Integration is essential: Robust IT architecture with APIs is needed for seamless data exchange
• Patient-centred approach: From patient portals to home monitoring apps, technology increases patient empowerment
• Security is non-negotiable: Investment in apps must go hand in hand with strong focus on cybersecurity and data protection
• The future is hybrid: The most successful care models combine physical care with digital tools for optimal results

‍

Conclusion

‍

Digital transformation in healthcare is an irreversible process, and the role of applications is leading in this transformation. We have seen that apps not only automate processes but also improve the quality of care, give patients more control, and provide an answer to increasing workload pressures.

‍

Low-code combined with AI is a powerful accelerator, enabling healthcare professionals and IT departments to innovate and excel together without compromising safety and integrity. The challenge is not whether we should digitalise, but how we do it: strategically, integrated, and with focus on people.

‍

Establishing robust IT architecture, embracing low-code, and starting with concrete, small pilot projects are crucial steps for every healthcare organisation. As external IT partners specialising in healthcare, we guide healthcare institutions through this complex transition for years. We help you make the right strategic choices and implement technological solutions that truly help your organisation and your patients.

‍

Frequently Asked Questions (FAQs)

‍

Q1: What is low-code and why is it relevant for healthcare organisations?

Low-code is a software development method that enables building applications with minimal code, primarily through visual interfaces and ready-made modules. It's relevant because it enables healthcare institutions to respond quickly to changing needs, develop specific healthcare apps, and reduce dependence on traditional, lengthy IT projects.

‍

Q2: How can I guarantee the security of my apps in the healthcare sector?

Security is of utmost importance. This begins with robust IT architecture that complies with GDPR guidelines and specific healthcare standards such as those set by NHS Digital and the Care Quality Commission. Use platforms with built-in security features, conduct regular audits, and ensure strict access control. A cybersecurity strategy must be an integral part of every application development.

‍

Q3: What is the difference between an EHR and a Personal Health Record (PHR)?

An EHR (Electronic Health Record) is managed by the healthcare institution and contains a patient's medical history. A PHR is an app or online environment managed by the patient themselves, where patients can collect medical data from various sources, such as from a hospital's EHR or GP surgery data. The PHR increases patient autonomy and supports the digital patient journey.

‍

Q4: How can my organisation begin with digitalising processes?

Start small. Identify a specific process with a clear pain point, such as patient registration or appointment scheduling. Develop a small-scale pilot with a low-code platform and involve both IT and end users (healthcare professionals). The lessons learned from this project help scale success gradually.

‍