Solving the Data Security Dilemma
By Jeff Margolis
Data breaches and security threats – such as the recent attacks on Premera Blue Cross and health insurer Anthem – are increasingly becoming a concern for healthcare organizations of all sizes. Despite these security threats, many healthcare industry leaders and pundits are in agreement that consumer interaction and engagement with meaningful healthcare data is necessary to drive significant improvements in healthcare value in the future.
While all of the facts around recent events like the Premera and Anthem breaches aren't known yet, other health plans and providers are expressing heightened concern and examining their own attentiveness. Although healthcare industry organizations attempt to follow best practices, even the most prepared organizations can be subject to the challenge of a data breach. And beyond the challenges of Anthem and its members, digital innovations across the industry that can generally benefit consumers will almost certainly face potential delays. To put the healthcare industry data security dilemma into practical terms:
- First, understand that the HIPAA and HITECH Acts establish minimum requirements for compliance with the Security and Privacy Rules, with the intent of these regulations being to define a common baseline across the healthcare industry.
- Second, understand that these regulations do not set forth best operational practices for assuring the protection of consumer data, nor do they impart a step-by-step security and privacy framework that establishes best practices for the dizzying array of computers and devices that consumers use today to interact with their health plans, doctors, hospitals and pharmacies.
- Lastly, there are excellent and capable people, consultants and security-centric companies to drive and share best practices. However, I feel legacy technologies and existing platforms in healthcare will struggle to apply new security advancements at a sufficient rate to mitigate efforts by the "bad people" who plague multiple industries today.
Moving forward healthcare consumer-interactive platforms need to be built on the fundamental principle of anonymity with security and privacy engineered into the core design, unlike those based solely on HIPAA. This includes applying the HITRUST CSF security framework and data segregation of PHI/PII from consumer facing capabilities. When developing various consumer facing products now and in the future we must find a better way to deliver both an engaging, personalized user experience and a safe, secure environment that also mitigates risk. Figuring out how to help consumers benefit from more data about themselves without increasing the risk of exposing their identity is not easy, but it’s possible.