Tag Archives: blue cross

Empowering Health Through Blockchain

As the U.S. continues to wrestle with healthcare and how to provide insurance, the country seems to be in a state of flux; many individuals and employers alike question how they will ultimately be affected. Warren Buffett and Charlie Munger have identified healthcare as the biggest issue facing American businesses, and the National Federation of Independent Business ( NFIB) reports that the cost of health insurance is “the most severe” problem facing American small businesses today. The growth in healthcare costs has long been an issue in a monopolized industry controlled by the major health carriers (i.e. Blue Crosses, United, Cigna and Aetna).

The problem started spiraling out of control when insurance industry leaders, e.g. MetLife, converted from mutual company structures to stock company structures. When the best interests of the consumer become misaligned with the best interests of the service provider, we create a conflict of interest. After all, their fiduciary duty is to their shareholders, not their consumers.

The benefits system in the U.S. has been flawed for many years. It is plagued by a lack of transparency and leaves the employer powerless to fight increased premiums with each renewal, for what is most often their second largest expense next to payroll.

It’s time to collectively question the status quo and demand innovative solutions that leverage enhanced benefit plan design with emerging technology and contextual data. Business owners’ cost for healthcare should be directly correlated with the health risk and outcome of their employees. All aspects of plan design need to be transparent, and business owners and employees must own their healthcare data, so they can understand exactly what is driving costs and actually control their spending.

Viable solutions will come through companies like iXledger, a London-based blockchain insurtech start-up and collaborator with Gen Re that has partnered with online information hub Self Insurance Market to develop a marketplace for the growing self-insurance risk management sector. The marketplace leverages iXledger’s blockchain platform to navigate the complex, data-intensive processes of self-insurance, providing the visibility, workflow and resource management to receive cost-effective bids for appropriate services.

See also: What Blockchain Means (Part 2)  

The current group benefits market is primarily controlled and monopolized by the Blue Crosses, United, Cigna and Aetna (BUCAs), leading to diminishing provider networks, unclear benefits coverage and consistent premium increases over the last decade. American employees are unable to afford to participate in their own employer’s group medical plan. Aetna recently announced that it will not pay commissions to brokers on groups with fewer than 100 insured lives.

Technology alone is not the key to driving down the cost of healthcare and enhancing benefits. The famed health insurance unicorn Oscar has the technology, but only leveraging new tools with legacy processes is not going to yield significant returns. Disruption in healthcare requires a totally new approach, not just new technology to try to enhance the current, monopolized benefit plan offering.

Unfortunately, I believe Oscar will continue to lose to the BUCAs, unless it can quickly pivot. Oscar is currently losing roughly $1,750 per member, yet its last capital round provided for a $2.7 billion valuation with 120,000 insured lives, or $22,500 per member. Although Jeff Bezos and other technology leaders have defied all conventional means of valuation across the capital markets, an analysis into Oscar’s business has me a bit stifled. If you look at the member population, 48% of the New York enrollments in 2015 came from the ACA state exchange, who are often high-risk members. Perhaps that is why Oscar’s ratio of hospital costs to premiums earned was 75%, compared with 62% at UnitedHealthcare. The lack of capital relative to the BUCAs and Oscar’s existing member risk population will make it quite difficult to compete.

See also: Blockchain Technology and Insurance  

As Oscar shows, the solution to the health benefits crisis in the U.S. will not be driven with just new technology and enhanced analytics, but by integrating enhanced data and new technology, such as telemedicine, with innovative and enhanced benefit plan designs similar to what iXLedger is endeavoring to facilitate. The solution is a paradigm shift requiring new tools that compel new processes to put both employers and employees in control of their cost of healthcare while offering enhanced health benefits coverage.

‘Alexa, What Is My Deductible?’

When it comes to adoption of technology, simple is most often better than complex. Steve Jobs and Apple went to great lengths to make their products simple. Without user adoption, products fail. Current technology trends continue the move toward simplicity with the advent of artificial intelligence and personal assistant tools like Amazon’s Echo and the Google Home. Before you know it, these tools will enter the benefits world. The question is, who is going to be first and best? And if I am a benefits broker, how does this affect my business?

While many brokers are aware of the vendors that call on them or have booths at industry conferences, I believe the benefits technology race is going to heat up, with new competition entering the market. These new competitors see the market opportunity to automate large segments of our economy, including health insurance and healthcare. You may have heard of some of these companies, like Microsoft, Google, Salesforce.com and Apple. This would be in addition to current leaders such as ADP and Paychex. The stakes of the game will change, and the price of entry, from an investment standpoint, is in the hundreds of millions of dollars. Those with the capital will quickly outpace those with less capital.

Don’t be surprised when you start to see major mergers and acquisitions in the HR and benefits space. Could Microsoft buy Ultimate Software? Why not? Microsoft already purchased LinkedIn and recently hinted at getting deeper into the HR space.

See also: Could Alexa Testify Against You?  

When I look at products like the Amazon Echo and Google Home, I see products that have very quickly grabbed market share, with high rates of adoption. My wife, who is not an early adopter of technology, quickly became a user of Google Home. Why? Because it is easy. Would she have a better understanding of her health insurance if she could simply ask Google? Absolutely!

Benefits technology, on the other hand, has not had broad adoption by employees. Yes, employers have bought systems or brokers have given them away, but when you look at utilization on the employee side it is abysmal. I believe the reason for this is because there is not enough value as a stand-alone solution to generate broad adoption. Keep in mind that the majority of people hardly use their healthcare in a given year, so there is little need to access such a system. I don’t know about you, but I can hardly remember the login to my computer, never mind something I may not use for six months.

The next generation of technology in the HR and benefits area is going to have broader and “everyday” value, while being much easier to use. Market-leading vendors, especially those with a great deal of capital, will invest in the latest technologies to try to win the technology race and gain more customers. And before you know it, you will be saying the following:

“Alexa, is Dr. John Smith from Boston in the Blue Cross network?”

“Ok, Google, request Friday off from work.”

“Hey, Siri, how much does the average office visit cost?”

“Alexa, what is the balance of my 401k?”

“Ok, Google, transfer $500 from my savings to checking.”

The advancement of technology and artificial intelligence has enabled many to have more personalized user experiences. Your Amazon Echo will “get to know you.” Maybe in the near future your doctor will get to know you a little better, too.

Many benefits brokers have chosen some technology vendor with a mission of putting as many clients on the system as possible. This is a risky position competitively as more advanced solutions from highly capitalized companies come along. I don’t know many sales people or business owners in any industry who like running around with the eighth best product. Even more so when it is not necessary. The market and your customers do not care if you have invested thousands of dollars on some technology that may quickly fall out of favor.

One should take the advice of Jack Welch, ex- CEO of General Electric, who once said,

“If the rate of change on the outside exceeds the rate of change on the inside, the end is near.”

For those who have purchased the Amazon Echo or Google Home, you don’t have to look far to see that the outside world is changing faster than the inside. The health insurance and healthcare industries often feel like they are moving at a snail’s pace. Private exchanges were lauded as change, when they really are a reincarnation of cafeteria plans from the ’80s.

See also: Why 2017 Is the Year of the Bot  

With the Trump administration, changes in health insurance legislation may create a shift that empowers the consumer. The industry may need an army of people on the front lines to help the industry move to a whole new paradigm. The vendors will need help and the employers, and employees will need it, too. The technology is there. Alexa is ready. Are you?

5 Insurance Apps to Download Today

Forward-thinking insurance companies are leveraging technology to improve customer experience and differentiate themselves from the competition. Here are the top five insurance apps you should download today, to help with tasks ranging from creating a home inventory to improving your driving skills.

  1. Home Gallery App
    Cost:
    Free
    Benefit: Helps you create a home inventory

A home inventory makes filing an insurance claim easier should your things be stolen or damaged. It also gives you an estimate of how much your possessions are worth, which is helpful when you shop for homeowners insurance. Fortunately, the Home Gallery app from Liberty Mutual makes cataloging your possessions a cinch. The app allows you to take photos of your items, note important information such as purchase price and date and share your inventory with family members or your insurer. Best yet, you can use the Home Gallery app whether or not you’re a Liberty Mutual customer.

  1. Driver Feedback App
    Cost:
    Free
    Benefit: Gives you information to become a better driver

State Farm’s Driver Feedback app helps you become aware of driving habits that increase your chance of being involved in an accident, which could raise your auto insurance premium. The app uses your smartphone’s accelerometer and GPS locator to collect data about how you brake, corner and accelerate. Once you arrive at your destination, the app gives you a score for your trip and offers tips about how to improve your driving.

Using the Driver Feedback app, you can also compare data from one trip with another and share the results via email or text. These features can help new drivers form good driving habits and allow parents to monitor their teen’s performance behind the wheel. Plus, using a driving app is one way your teen might reduce her auto insurance premium. You don’t need to be insured with State Farm to use the app, and your driving data isn’t shared with your insurance company.

  1. Text4Baby App
    Cost:
    Free
    Benefit:
    Provides tips to help expectant moms stay healthy during pregnancy

The Text4Baby app provides pregnant women with a wealth of information to help them have a healthy pregnancy and avoid preventable complications. When a mom signs up, she receives a “starter pack” of messages. Then, every week, she receives three text messages about prenatal care, ranging from doctor appointment reminders to information about symptoms that could warrant concern.

Major insurance providers, like Aetna, CIGNA and Blue Cross and Blue Shield, are Text4Baby “outreach partners.” This means the companies encourage expectant moms to use the app to stay healthy, which can reduce the chance of complications that can make pregnancy-related costs skyrocket.

  1. Infinity App
    Cost:
    Free
    Benefit:
    Allows you to create a secure digital inventory

The MetLife Infinity app gives you the power to create a digital inventory of photos, videos and audio files, plus important documents like wills and insurance policies. The app stores as much as five GB of data in the cloud, and it’s password-protected and permanently backed up. You can organize your information in collections and securely share the information with anyone, from a family member to your insurance agent. You can take advantage of the app even if you’re not a MetLife policyholder.

  1. Defend Your Income
    Cost:
    Free
    Benefit: Explains how a disability can affect your life

Defend Your Income is an online game produced by the Council for Disability Awareness. Its goal is to help you understand how a disability may affect your life. Throughout the game you defend yourself from health-related issues like pregnancy complications, cancer, and respiratory disease. After you complete each round, you answer trivia questions and learn miscellaneous facts about the disability.

By the end of the game, you’re more aware of your disability likelihood and have an idea of how much income you could lose if you become disabled. This information is useful when you’re calculating the amount of disability insurance you need.

These apps are transforming the insurance industry by elevating customer service to a new level. Download one or more of them and then share your experience. We’d love to hear your thoughts.

More Pressure to Protect Health Data

Health plans, insurers and other health plan industry service providers need to ensure that their Internet applications properly safeguard protected health information (PHI), based on a recent warning from Department of Health and Human Services (HHS) Office of Civil Rights (OCR).

The warning comes in a resolution agreement with St. Elizabeth’s Medical Center (SEMC) that settles OCR charges that it breached the Health Insurance Portability and Accountability Act (HIPAA) by failing to protect the security of personal health data when using Internet applications. The agreement shows how complaints filed with OCR by workforce members can create additional compliance headaches for covered entities or their business associates.

With recent reports on massive health plan and other data breaches fueling widespread regulatory concern, covered entities and their business associates should prepare to defend the adequacy of their own HIPAA and other health data security practices. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities.

SEMC Resolution Agreement Overview

The SEMC resolution agreement settles OCR charges that SEMC violated HIPAA. The charges stem from an OCR investigation of a Nov. 16, 2012, complaint by SEMC workforce members and a separate data breach report that SEMC made to OCR of a breach of unsecured electronic PHI (ePHI). The information was stored on a former SEMC workforce member’s personal laptop and USB flash drive, and 595 individuals were affected.

In their complaint, SEMC workers complained that SEMC violated HIPAA by allowing workforce members to use an Internet-based document application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

  • SEMC improperly disclosed the PHI of at least 1,093 individuals;
  • SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  • SEMC failed to identify and respond to a known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome in a timely manner.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan.” Although the required settlement payment is relatively small, the resolution agreement merits attention because of its focus on security requirements for Internet application and data use and sharing activities engaged in by virtually every covered entity and business associate.

HIPAA-Specific Compliance Lessons

OCR Director Jocelyn Samuels said covered entities and their business associates must “pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications.” She stated that, “to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The resolution agreement makes clear that OCR expects health plans and other covered entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates covered entities and business associates must be able to produce evidence showing a top-to-bottom dedication to HIPAA, to prove that a “culture of compliance” permeates their organizations.

Covered entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan,” starting with the specific steps that SEMC must take:

  • Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
  • Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
  • Conducting other tests and audits of security and compliance with policies, processes and procedures; and
  • Documenting results, findings, and corrective actions including appropriate up-the-ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance and Risk Management Lessons

Covered entities and their business associates also should be mindful of more subtle, but equally important, broader HIPAA compliance and risk management lessons.

One of the most significant of these lessons is the need for proper workforce training, oversight and management. The resolution agreement sends an undeniable message that OCR expects covered entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies.

The resolution agreement also provides insights to the internal corporate processes and documentation of compliance efforts that covered entities and business associates may need to show their organization has the required “culture of compliance.” Particularly notable are terms on documentation and up-the-ladder reporting. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details provide invaluable tips.

Risks and Responsibilities of Employers and Their Leaders

While HIPAA places the primary duty for complying with HIPAA on covered entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons.

HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs for employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction. These concerns usually require employers to expend significant management and financial resources to respond.

The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all-too-rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Because employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements.

Sponsoring employers and their management also should be aware that the employer’s exception from direct liability for HIPAA compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation.

While HIPAA generally limits direct responsibility for compliance with the HIPAA rules to a health plan or other covered entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws, arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk.

When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and that the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to be disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA rules.

Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI systems in violation of these conditions or other HIPAA rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – to wrongfully access health plan PHI, electronic records or systems. Because  health plan PHI records also typically include personal tax, Social Security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concerned about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Because HIPAA and some of these other laws under certain conditions make it a felony to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s federal sentencing guideline and other compliance programs.

Employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements.

For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. This fiduciary status and risk can occur even if the entity or individual is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Because fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority.

Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints.

Manage HIPAA and Related Risks

At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stopgap against the costs of investigation or defense of a HIPAA security or other data breach.

Yet Another Data Breach in Healthcare

CareFirst BlueCross BlueShield stepped forward on Wednesday to disclose yet another major breach of a health care insurer, this one affecting 1.1 million people.

Hackers accessed a database to steal the names, user names, birth dates, email addresses and subscriber ID numbers of about 1.1 million current and former CareFirst customers and business partners.

The company said that no passwords were taken because those are encrypted and stored in a separate system, and that no Social Security numbers, medical claims or credit cards appeared to be compromised.

But Richard Blech, CEO of encryption company Secure Channels, was critical of CareFirst, saying the company trivialized what was hacked in the data breach.

“The data stolen is enough to ruin someone’s life,” Blech says. “Trying to mitigate the damage should not be the goal. Heath insurance firms cannot ignore the responsibility to protect their customers.”

Dave Frymier, chief information security officer at Unisys, concurs. “Breaches like this can literally create life-or-death issues for consumers,” Frymier says. “If stolen health records are used to obtain care by a criminal, fraudulently purchased medical procedures are listed on the records of people who did not have the procedures. That can create critical medical issues in the future. Organizations seem to only invest in cybersecurity after they are attacked. Few seem willing to invest to prevent the attacks in the first place.”

Baltimore-based CareFirst is the third health care insurer to disclose a major data breach this year, following Anthem, which had the records of 80 million people compromised, and Premera Blue Cross, which saw data for 11 million people exposed.

Why is the healthcare industry being targeted by data thieves? The basic explanation is two-fold: The type of data that health care organizations amass – ranging from research work to patient records – has high value in the cyber underground; and the industry currently exhibits uniformly poor security policies and practices.

​“Healthcare companies are prime targets for hackers,” says Greg Kazmierczak, CTO of data security vendor Wave Systems. “Not only should the database have been encrypted, but access to the database should have been protected by two-factor authentication. Without strong encryption and access management, expect medical fraud and identity theft to run unchecked.”

The question of the moment: How many more major data breaches will have to be disclosed before healthcare organizations move assertively to shore up security?

“It’s time for the healthcare entities to shift gears to modern data-security defenses and join their peers in other industries who’ve already learned how to mitigate these threats,” says Mark Bower, global product management director at HP Security Voltage.

The data breach was discovered after CareFirst retained forensics firm Mandiant to audit its security systems. Mandiant found evidence of access to a single database containing data originating from CareFirst’s websites and online services. Anyone who created profiles on the insurer’s website before June 20, 2014, was affected.

Other healthcare organizations are likely to conduct similar audits. Security experts predict that disclosure of other major hacks will be forthcoming, for some time to come.

“The medical industry as a whole has to up its game in security maturity, especially basics like patching, security controls and incident detection,” says Gavin Reid, vice president of threat intelligence at network security firm Lancope.

Ken Westin, senior security analyst at Tripwire, adds: “In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that are coming at them. As we saw with the recent tidal wave of retail breaches, attackers often take advantage of vulnerabilities that are endemic within an industry.”

In the meantime, the burden rests with the individual consumer to limit dissemination of personal data in the health care field.

“Share only with trusted providers that have a need to know,” Lancope’s Reid advises. “Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge.”

Meanwhile, healthcare organizations need to embrace a security mindset from the board room to the patient room. Until that happens, data thieves will continue to plunder their employee, patient and partner data.

“Ongoing assessments and tests are critical to identifying areas of vulnerability before sensitive data is at risk, especially since many breaches aren’t obvious to the organization,” says Jay Schulman,  managing principal at Cigital. ‘It’s not only about building effective software that adhere to compliance standards, but healthcare  organizations also need to build security in so that applications and software can tell you when something is going wrong.”