While the largest number of data breaches occur at healthcare providers’ sites, such as hospitals and physician offices, healthcare plans account for the greatest number of health plan member records stolen over the past seven years, according to a study published in JAMA.
This is attributable to extremely large breaches of electronic systems. While these centralized databases offer a wealth of health records that can be used to improve healthcare, it’s important to balance the risks of being hacked against the benefits.
These breaches represent one area where health plan organizations must focus their attention to overcome an increasingly complex regulatory and risk management environment. A fully equipped health information management platform has become a vital requirement for health plan organizations seeking to improve care, member outcomes and ROI.
Balancing Risks of Data-Sharing
While better policies and procedures and the use of encryption have helped reduce easily preventable breaches, more must be done to protect member privacy and mitigate associated costs.
Health data breaches cost the U.S. healthcare industry an estimated $6.2 billion, and 70% of businesses that have experienced ransomware attacks in their workplace have paid to have stolen data returned.
Attackers have learned how to monetize healthcare data, with the number of attack points continuing to rise with the use of mobile medical- and health-related apps and with electronic health records (EHR) become increasingly embedded in clinical settings.
Given all this, health plans should seek a technology-enabled platform that optimizes operational viability, helps to improve member outcomes at reduced costs and ensures data security and privacy. The first step is to look for a vendor that has earned Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) certification.
See also: VPNs: How to Prevent a Data Breach
Understanding HITRUST Benefits
As healthcare data shifts from local infrastructure to the cloud, the ability to control and secure data weakens, creating substantial challenges for health plans and hospitals that need to assess third-party vendors and ensure that data complies with HIPAA and other regulations.
HITRUST sprang from the belief that information security should be the core of the broad adoption of health information systems and exchanges.
HITRUST CSF certification can be used by all organizations to guide them in selecting and implementing the appropriate controls to protect the systems that create, access, store or exchange personal health and financial information. Certification gives organizations detail and clarity related to information security controls tailored to the healthcare industry.
Certification also carries two key advantages: First, it’s designed to examine regulations. During the certification process, an independent assessor uses the HITRUST framework and then submits work papers to HITRUST for scoring and quality assurance. This ensures providers a level of consistency from one assessment to another.
Second, HITRUST performs a gap analysis, which providers can request to help them further assess a vendor’s security posture, which saves substantial resources.
HITRUST CSF certification also includes these benefits:
- Cross references the requirements from legislative, regulatory, HIPAA, NIST, ISO, state laws and others for one comprehensive framework
- Provides a framework that prepares organizations for new regulations and security risks once introduced
- Ensures compliance and security protection to clients
- Assures payers working with vendors that the platform is compliant, private and secure and meets the necessary requirements of HITRUST CSF certification
- Means a third-party assessed the platform and attests to its compliance with globally recognized standards, regulations and business requirements, ensuring data security, privacy and compliance
Full-spectrum, end-to-end Platform
Health plans should look for an integrated risk-adjustment optimization and quality improvement platform that has HITRUST CSF certification as validation of a commitment to improving the health of healthcare and providing innovative solutions for health plans across the country.
They should offer a platform that provides health plans and provider groups with a comprehensive risk adjustment solution that plays an integral role in helping health plans and risk-bearing entities improve measured quality.
HITRUST CSF provides a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Leveraging nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA and COBIT to ensure a comprehensive set of baseline security controls, HITRUST CFS normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance.
HITRUST CSF, the most widely adopted security framework in the U.S. healthcare industry, continues to improve and update its framework ensuring that organizations are prepared when new regulations and security risks are introduced.
Furthermore, the certified solution should combine risk adjustment and quality improvement services and provide real-time visibility and reporting for risk adjustment analytics, medical record retrieval, HEDIS abstraction, risk adjustment coding, claims and data validation, prospective health assessments, clinical abstraction, member engagement/outreach and provider education. It should also be designed to integrate risk adjustment and quality services to deliver fully transparent insights.
Success in value-based approaches pivots around delivering on total member health, cost and quality rather than relying on the traditional model of maximizing relative value units, revenue and downstream referrals.
The right full-spectrum, end-to-end approach to care empowers health plans and providers to identify gaps in care and manage plan members more productively. Consequently, plan members reap the greatest benefit by being guided toward more preventive care and self-management early in the care process and their information and privacy remain protected.