Establishing a Data-Secure Approach to Population Health Management: 3 Tips

By Matthew Fahner, CCSA, COO, Chordline Health

Fallout from the cybersecurity attack on Change Healthcare, which touches one out of every three patient records, continues to reverberate throughout the industry. Now, as health plans and systems continue to seek ways to deploy population health management initiatives at scale, they are even more keenly aware of the need to mitigate the security risks that come with sharing sensitive data.

Population health management data is among the most sensitive data a health plan or healthcare organization can possess. There is already a fair amount of concern among consumers around how healthcare organizations protect information such as data related to social determinants of health (SDOH). This data encompasses the nonclinical factors that impact a person’s health, like access to healthy food, stable housing and transportation. A survey by the Office of the National Coordinator for Health Information Technology (ONC) found four out of 10 people are not comfortable sharing SDOH data.*

Imagine, then, the ways in which a data breach would affect patients’ willingness to be open about their SDOH risk factors — and the impact that lack of access to this data would have on managed care organizations’ ability to strengthen health outcomes.

That’s why it’s important that organizations take the right steps to safeguard this data. Here are three things to consider in evaluating a population health platform to protect sensitive data from cyberthieves. 

Ascertain whether a platform — and all of its vendors — has the necessary certification. To protect sensitive health data, Chordline Health puts security first by design. As such, we only partner with best-in-breed vendors, including a market leader for healthcare cloud computing, to ensure we deliver a HIPAA-, SOC2- and HITRUST-compliant SaaS platform our clients can trust. With SaaS, which is a public cloud-based software model, it is critical to ensure you’re partnering with the right vendor.

In addition to having the right certifications, it's also important to know whether a potential vendor uses third-party entities to validate its security. For instance, at Chordline, we contract with third-party security firms to conduct quarterly vulnerability scans and annual penetration tests and share the results with our customers. We also have in place automated safeguards that query content every six minutes to ensure the system is in compliance — to the point where services will be terminated if something concerning is found. 

Explore a vendor’s change management practices. As the use of artificial intelligence (AI) proliferates in healthcare, industry leaders need to think about how their approach to AI affects the security of their population health management platform. Because these platforms send and receive data from external models that are outside of an organization’s control, there’s potential for sensitive patient information leaks when AI-powered analysis is incorporated.

A recent study conducted by the Center for Connected Medicine and KLAS Research found that very few health systems have written formal policies addressing the use of AI, and even fewer have policies specific to generative AI. Only 16% of health system leaders who responded to the survey said their organization had a systemwide governance policy in place. However, many respondents said their organizations recognized the need for serious oversight, reporting that their health systems have formed governance committees of senior executives from various departments to oversee AI.

To protect against the potential leakage of patient data, organizations should form governance models to establish guardrails around the use of AI not only at the organizational level, but also at the SaaS provider level. When done properly, change management should lay out a step-by-step process to identify a challenge, make changes and execute successfully, according to the Harvard T.H. Chan School of Public Health.

Find out whether they’re insured in the event of a cyberattack — and to what extent. When evaluating a SaaS population health management vendor, you’ll want to ask about what level of insurance it has if you were to get hacked and how much cybersecurity coverage the policy would provide to retrieve any breached data. Cyber insurance policies can help cover the financial losses that result from cyber events and incidents, and such coverage often helps with the costs associated with remediation.

Cybersecurity insurance coverage depends on the level of risk but can range between $10 and $20 million, in Chordline Health’s experience. A couple of years ago, $5 million was considered adequate coverage, but the level of risk has ratcheted up to the point where some organizations even request coverage as high as $25 million.

As the speed of technology increases, and as AI increasingly becomes part of the mix, data is being shared in new ways. To keep up, organizations have had to rethink how they’re securing their infrastructure and complying with Centers for Medicare & Medicaid Services regulations, such as the prior authorization rule and requirements around implementation and maintenance of certain interoperability standards.

 For more insight on what to consider when evaluating population health management platforms, contact us. 

* Shared during the ONC Annual Meeting, December 2023.