Increasingly scalable, flexible, interoperable, cloud-based platforms supporting sophisticated analytic capabilities have created wide-ranging opportunities and profound insights for healthcare organizations, from improvements in quality of care to cost-saving efficiencies.
But the sensitive health care data underlying such promising developments can also leave payer organizations at risk. Healthcare payers handle large volumes of sensitive patient information, making them just as attractive a target for cyberattacks as healthcare providers. The operational, economic, and reputational risks of data breaches weigh heavily on healthcare organization leaders. Whether accidental or malicious, health care data leaks can expose a health care business to steep penalties, including fines, lawsuits, and regulatory scrutiny. A data breach can originate internally or via external vendors, forcing organizations to maneuver through an intricate cybersecurity environment.
“In my experience, security is almost never about technology availability. It is almost always about people and processes.”
-Milliman MedInsight Vice President of Information Security Jason Bohreer
Preventing such risks can pose significant challenges for health care organizations that need access to sensitive data across departments, devices, networks, and applications. Employing a multi-layered approach to risk mitigation is critical for safeguarding these valuable data assets.
Security as a factor in buy vs. build decision-making
Against such a backdrop, it is little wonder that healthcare payers approach the decision to “build or buy” their analytic solutions with caution. A recent Milliman MedInsight payer survey shows 33 percent of respondents have built an in-house analytic solution. One of the primary drivers of the decision to build-in house was data security. Over 30% cited security as a top reason for doing so.
For many organizations, however, the in-house analytic solution they need is out-of-reach. Even those with the resources to undertake such a project may not be prepared for the demands of managing a homegrown analytics platform. And of course, while a homegrown platform may bring a degree of added control, it does not create immunity from security risks.
Zero trust & constant vigilance
Milliman MedInsight Vice President of Information Security Jason Bohreer compares the build vs. buy discussion to the meme that asks, “Which is more dangerous, a shark or a vending machine?” to demonstrate the human tendency to have greater fear of risks in settings they do not control than of risks in familiar places – regardless of the actual risk.
When it comes to data security, Bohreer’s philosophy might be described as “do not trust sharks or vending machines – assume they are both out to get you.”
Modern cybersecurity challenges require constant vigilance, auditing, process improvement and user education. “The philosophy is trust nothing, assume everything is malicious. Watch everything,” Bohreer says.
Managing the threat in an era in which an entire industry of attackers is working 24/7 to identify and exploit vulnerabilities requires a sophisticated, multi-level defense, and an experienced team to implement it. “In my experience, security is almost never about technology availability,” Bohreer says. “It is almost always about people and processes.”
Data security & third-party analytic providers
Taking advantage of third-party analytics expertise does not mean having to accept increased exposure to risk. The key is conducting the right due diligence to ensure you are working with an analytics partner aligned with both industry-standard security accreditation as well as with your security needs, philosophy, and risk tolerance.
Bohreer, who holds a master’s degree in Information Security Engineering, and has 25+ years in building and securing FDA and PHI network environments, offers an overview of criteria for ensuring an analytic provider’s commitment and ability to prevent and manage security risks. Here is what you need to know when vetting a healthcare analytics provider.
Look for up-to-date audits & accreditations: Comprehensive auditing and assessment of security controls by established organizations for maintaining industry best practices and established standards and/or regulatory standards is non-negotiable. These include:
HITRUST R2 certification is built around an annual evaluation of an organization’s information security and privacy practices to ensure compliance with the HITRUST Common Security Framework. The assessment involves a review assessment of policies, procedures and 525 controls across various domains.
A SOC2, Type 2 report is a detailed evaluation of organizational controls and effectiveness related to security.
Expect transparency: The right partner will do more than tell you about their security practices – they will share audit findings and reports. It is important to be able to understand the details behind the results, including corrective actions taken. Do they have security guidelines or principles that they can share?
Understand their security philosophy: Ask questions that are not in the audit reports: How do they ensure security awareness and training internally? How often do they undergo external audits or perform internal vulnerability assessments? What are their strategies for maintaining a robust defense? For threat detection?
Ask about automation: Keeping up with increasingly sophisticated threats requires sophisticated defenses, including automation of security controls and configurations and the integration of code-based security measures for collaboration, consistency and enforcement.
Reliable, secure, and robust healthcare payer analytics with Milliman MedInsight
At Milliman MedInsight, we employ a comprehensive approach to security that is founded on a “trust nothing, monitor everything” philosophy. This includes vigilant monitoring, thorough assessments, and frequent, in-depth third-party testing and audits. We work in close partnership with our clients to ensure the security of their data and to resolve any issues.
Contact our team to learn more about how we can help you get more from your data with secure and reliable state-of-the-art healthcare payer analytics.
