Partnerships between technology firms and hospitals play an important role in advancing the objectives of healthcare risk managers. This past Fall The Wall Street Journal reported that technology companies are partnering with hospitals across the country to store and research patient data.
One such partnership involves Google and the Mayo Clinic, who jointly signed a 10-year partnership where Google stores medical, genetic, and financial data on its cloud system. The protected health information (PHI) of patients will be kept confidential because the data will be scrubbed such that it will not have any information linking back to a patient. Additionally, The Wall Street Journal reported that patient records will be under the watchful eye of the Mayo Clinic while Google can analyze and track the various ailments, treatments, and outcomes for patients in the aggregate and anonymously. The hope is that patterns can be identified to not only provide more effective treatments but find cures for certain diseases as well. Big data is the “new microscope” in healthcare.
If patterns can be recognized to identify and treat ailments quicker, aspects of the healthcare delivery process can be reduced, such as the length of stay in a hospital or the drug dosage prescribed. Shorter hospital stays and a decrease in the quantity of drugs needed can lift the burden on the healthcare system, potentially resulting in lower health insurance premiums that companies/employees pay due to the subsequent reduction in severity of medical claims. As a result, risk managers can also reap the rewards; higher patient satisfaction scores, reduction of medical errors due to more efficient treatment methods, and more successful clinical research trials utilizing technology are some examples.
Preparing for Unintended Risks
New technologies bring both positive benefits and negative consequences. As the healthcare industry increases its partnerships with tech firms, it must be prepared to address the growing problem of cybersecurity threats. According to CISION, 75% of the healthcare industry has been infected with malware at some point in time. This is not a surprise given the fact that, according to a 2018 Ponemon Institute Study, the average cost of a data breach for PHI is $408 per patient record, the highest of any industry making healthcare lucrative for cyber criminals.
This past October, DCH Health Systems in Alabama was forced to stop admitting new patients at three of its hospitals after it was hit with a ransomware attack. Recently Hackensack Meridian Health (NJ) and Oahu Cancer Center (HI) were each hit with ransomware attacks disrupting their normal hospital operations. Cyber threats are now, literally, a matter of life and death and the healthcare industry must keep cyber resiliency high on its priority list as its reliance on technology grows.
In 2018, before Google announced its partnership with the Mayo Clinic, it began a similar relationship with Ascension. Based in St. Louis, Ascension is a hospital chain boasting approximately 2,600 medical facilities. According to The Wall Street Journal, Google has obtained diagnoses, hospital records, lab results, and other forms of PHI including names and addresses from the Ascension Partnership.
The Health Insurance Portability and Accountability Act of 1996 (HIPPA) states that hospitals can share such data with business partners like Google, but the data collected must be used to help the hospital in its core function of patient care. Additionally, if such data is used to help the hospital with its core function, patients do not have to be notified of such sharing.
While the Google/Ascension Partnership may be acceptable according to HIPPA, hospital risk managers must balance the legal and ethical aspects of how they communicate their use of patient data for the sake of transparency, while simultaneously guarding against ever-present cyber risks. Care must be taken to ensure patient data is protected and Google does not utilize this PHI for other pursuits, such as cross-referencing this data with data from its recent Fitbit acquisition for example.
Planning for The Future
In no other industry is the access to critical information in real-time more important than in healthcare. Lives are at stake each day based on how quickly patient data can be accessed and utilized for treatments, the COVID-19 pandemic is one very real example. While hospital risk managers continue to “harden” their cyber infrastructure to guard against breaches threatening the exposure of PHI, a delicate balance must be reached so that technological innovations relying on access to this information are not sacrificed. This scenario is analogous to living in a free and open society; guarding against terrorist acts should not sacrifice the daily freedoms enjoyed, otherwise the terrorists win. Beyond hardening cyber defenses, here are ways risk managers can better plan for the future to ensure sensitive data is protected:
1 | Provide cybersecurity/cyber hygiene training for staff. Social engineering attacks focus on the lack of security awareness amongst users/staff members. Focus on the idea that each staff member is responsible for protecting patient data to create a culture of security. Some cyber hygiene routines include:
2 | Setting strong passwords for all devices. Should be unique and complex, containing at least 12 characters along with numbers, symbols, and capital/lowercase letters.
3 | Using multi-factor authentication to add an additional layer of protection. Submission of username/password, a unique code that is sent to a mobile device, and/or facial/fingerprint recognition.
4 | Regularly backing up secure files offline onto an external hard drive and the cloud. It is important for risk managers to use a technology vendor who can provide guidance on both cloud storage, external hard drive storage, and remote backup location strategies.
5| Use a network firewall. Prevent unauthorized users from accessing websites, mail services, and other sources of information that can be accessed from the web.
6 | Use a controlled system access model: Define the role of each staff member within the organization and ensure system access is immediately revoked for staff members who leave the organization.
7 | Install and regularly update reputable antivirus and malware software that:
8 | Scans for and eradicates malware and computer viruses.
9 | Schedules and performs automatic scans for one file or the entire computer.
10 | Protect mobile devices. Best practice is to keep all sensitive health data away from mobile devices. If data on a mobile device is necessary, it is imperative that the data is encrypted.
In 2020 and beyond we can expect more patients to inquire as to how their sensitive PHI data is being used, so risk managers should be prepared to rethink their external communication strategy. The more trust society has with these technology/healthcare partnerships, the easier it will be for technology to play a greater role in addressing critical healthcare issues.
Read on Risk & Insurance