Healthcare payer CIOs tell me that today their organizations are transforming their historical missions to put members up front and center and that core to this change is the ability to use data to improve member health.
According to Julie Hill, a Board member at Anthem Blue Cross, “Disruption is coming our way. We have been pretty staid for a long time. Historically, we viewed Ford Motor for example as our only customer. However, everything has changed. It no longer works to have 7 platforms for collecting metrics around performance. The opportunity for us today is to ‘mine the metadata for healthcare outcomes’. This is a huge cultural shift, but it is also a moral imperative and increasingly, an economic imperative.” (UCI Road to Reinvention, Center for Digital Transformation, March 2016)
The rise of healthcare related IoT adds to the diversity of datasets containing PHI and PII with the potential to improve quality of care and patient outcomes. This sensitive data is of value to both members and payers and as such needs to be managed, governed, and most importantly, protected.
Healthcare payers that organize their data strategies effectively will have the ability to not only drive better healthcare outcomes but also lower their costs by ensuring standards of care, performance related pay, compliance with government and industry regulation, and reduced vulnerability in the event of a hack.
Healthcare payers explain that they have been slow to respond here for many reasons. While access to a unified view of patients is desirable, it requires the ability to overcome the complexities of putting together a variety of data from multiple sources including patient and pharmacy records, IoT data, social media activity, and more. Healthcare payers are limited as well by data interoperability and worries about the privacy risks associated with creating an integrated view of member and patient data; alleviating these concerns requires they proactively protect members’ personal data from re-identification and hackers, without compromising its usability.
Unfortunately, healthcare payers have limited capability to holistically manage sensitive data. For this reason, they are also limited in their ability to avoid costly fines and lawsuits for noncompliance. For better accountability here, they need to actively remediate processes that are insufficient. As part of this, they will need their employees to demonstrate proper due diligence and risk management in protecting high risk data. Taking these steps will avoid liability for breach of fiduciary duty and wasting corporate assets where directors’ pre and post-breach conduct alleges improprieties like failure to properly disclose, investigate and remediate compliance issues.
Healthcare payers say knowing where to start with managing their data is key to meeting regulatory compliance. HIPAA lists 18 identifiers that are considered personally identifiable information – high value data targets including social security numbers, medical IDs, and first or last name, the latter two of which gain importance when tied to ailments. For compliance and privacy, IT leaders need the ability to secure this information throughout the entire data flow, not only in motion but at rest and in use as well. Making this happen requires the shared development of data privacy and security policies within the community served. Data policies are inherent to data protection compliance and avoiding business risk.
For these reasons, one healthcare payer Chief Compliance Officer says that data security “is important. We have funding for it, we have the top-down support for it in our organization, but we want to make sure that the business users as well as internal IT users understand why this is important.”
With members’ PHI and PII always under threat, healthcare payers need rigorous policies and capabilities to protect this valuable corporate asset from compromise, loss and targeted cyber-attacks. One CISO put it this way: “The emphasis needs to move from the application to the data touch points, with data security baked in from the start.” Healthcare payer CIOs stress the importance of business leaders thinking about the data they collect in terms of how much is actually required, then storing it only as long as is necessary in order to protect against insider misuse and loss from unintentional actions. Healthcare payer CIOs not only worry about identity theft and prescription fraud but also third parties receiving medical care under a patient’s name which could create false medical histories with personal and financial implications for members and payers.
In 2015, over 180 million healthcare records were exposed. Hackers are targeting healthcare payers and providers with increasingly sophisticated methods for circumventing several layers of strong security controls. Clearly, the more personal the information that healthcare payers put together – and PHI is extremely personal – the more valuable a target it becomes for identity theft, which creates all sorts of ramifications for the healthcare payers that suffer breaches. Healthcare payers have been implementing layered physical and logical controls for a number of years; today’s threats demand that they enhance their cyber security mandates and preparedness to include securing data itself.
Are you concerned about these issues in your organization? I’ve recently put together a more detailed look at how data-driven healthcare payers can overcome the difficulties they’re facing today and I’d love to know what you think – to read it, please click on this link: 5 Growth Initiatives Healthcare Payers Can Leverage Today with Security.