Data Security Dilemma
[Editor's note: the following blog post was written by Jeff Margolis, chair and CEO, Welltok]
Data, data, everywhere...the practical dilemma is that even as the increasing threat of data security challenges is hitting the front page, healthcare industry leaders and pundits are in nearly universal agreement that far more - not less - consumer interaction and engagement with meaningful healthcare data is necessary to drive significant improvements in healthcare value. It's perhaps analogous to the notion of a person needing water to drink, but the water around them is either saltwater or it potentially contains harmful bacteria or parasites. Frustrating to say the least!
While all of the facts around the Anthem breach aren't known yet, other health plans and providers are - as any rational person might expect - expressing heightened concern and examining their own vigilance. It's difficult to feel "safe" when you contemplate the awe-inspiring scope and alleged consumer-harming intent of the breach. Although healthcare industry organizations endeavor to follow best practices, even the most prepared organizations can be subject to the challenge of a data breach. And beyond the challenges of Anthem and its members, digital innovations across the industry that can generally benefit consumers will almost certainly face potential delays.
Allow me to put the healthcare industry data security dilemma into practical terms. First, understand that the HIPAA and HITECH Acts establish minimum requirements for compliance with the Security and Privacy Rules, with the intent of these regulations being to define a common baseline across the healthcare industry. Second, understand that these regulations do not set forth best operational practices for assuring the protection of consumer data, nor do they impart a step-by-step security and privacy framework that establishes best practices for the dizzying array of computers and devices that consumers use today to interact with their health plans, doctors, hospitals and pharmacies.
To be sure, there are excellent and capable people, consultants and security-centric companies to drive and share best practices. However, I feel legacy technologies and existing platforms in healthcare will struggle to apply new security advancements at a sufficient rate to mitigate efforts by the "bad people" who plague multiple industries today.
Today's healthcare consumer-interactive platforms need to be built on the fundamental principle of anonymity with security and privacy engineered into the core design, unlike those based solely on HIPAA. This includes applying the HITRUST CSF security framework and data segregation of PHI/PII from consumer facing capabilities. We began the development of our CaféWell Health Optimization PlatformTM from the perspective that there needs to be a better way to deliver both an engaging, personalized user experience and a safe, secure environment that also mitigates risk.
As my intent is not to be overly technical, I'll conclude with this thought. Figuring out how to help consumers benefit from more data about themselves without increasing the risk of exposing their identity is not easy...but it is possible!