In The Wake Of The Change Healthcare Attack, Here’s Why A Data-Secure Approach To Population Health Matters
Fallout from the cybersecurity attack on Change Healthcare, which touches one out of every three patient records, continues to reverberate throughout the industry. Now, as health plans continue to seek ways to deploy population health management initiatives at scale, they are even more keenly aware of the need to mitigate the security risks that come with sharing sensitive information. In this interview, Matthew Fahner, COO of Chordline Health, shares what healthcare leaders should consider in protecting population health data from cyberthieves.
Why should the Change Healthcare cyberattack be a top-of-mind concern when it comes to population health management?
Population health data is among the most sensitive data a healthcare organization can possess, particularly when it comes to information around social determinants of health (SDOH), or the conditions in which people live, work, learn, play and worship. These factors affect nearly half of healthcare outcomes, and many patients are reluctant to share this information even with their providers.
In fact, a survey by the Office for the National Coordinator for Health Information Technology (ONC)—shared during the ONC’s annual meeting this past December—reveals patients fear SDOH information will be used against them. They wonder, “How will the information be perceived by a clinician, and will it be used against me? Will I still get the help I need?”
So imagine what would happen if population health management data were breached during a cyberattack. We know that Change Healthcare alone touches one out of three patient records. If an organization as well-capitalized as Change Healthcare is susceptible to a large-scale attack by cyberthieves, so, too, are healthcare organizations with far fewer resources. The damage to an organization’s relationships with patients and its brand if a population health data breach could be irreparable. It’s one reason why healthcare providers must think carefully about the security protections in place for a population health management platform as they assess their current platform or evaluate a new one.
Are there also security risks associated with the use of artificial intelligence (AI) to analyze population health data and predict patient behavior, including around utilization?
There is definitely a need for guardrails around the use of AI in healthcare, including for population health management. A recent survey found few health systems have formal policies that address the use of AI. Just 16% have a systemwide governance policy in place. While some organizations have formed committees to develop AI-specific policies, just one-third of those that do have an AI governance policy in place have updated their policy in the past year—despite the introduction of generative AI. In fact, just 11% of healthcare organizations responding to the survey have adopted policies specific to generative AI.
When it comes to population health management, it’s important to recognize that guardrails around the use of AI should exist not just at the organizational level, but also at the SaaS provider level. This ensures your population health platform is protected not only from threats against your internal systems, but also on the vendor side—the risk you can’t control.
It’s important to note that a population health management platform doesn’t require AI to be effective. In fact, predictive analytics and automation are powerful drivers of value in modern population health platforms, delivering actionable information to clinicians when and where they need it most. For instance, health plans and health systems can put automation into play to prioritize where team members focus. When powered by advanced analytics, this approach strengthens care team response by pointing to targeted interventions that matter most.
What type of security protections should healthcare providers and health plans expect from their population health platform vendor?
With population health management models that rely on public cloud-based software, it’s important to assess not only whether the SaaS provider has the necessary security certifications, but also that its vendors do as well. Look for a SaaS platform that is HIPAA-, SOC2- and HITRUST-compliant. Make sure, too, that the vendor leverages third-party entities to validate its approach to security, internally and externally. Ask to see the results of vulnerability scans and penetration tests.
At Chordline Health, we contract with third-party security firms to conduct quarterly vulnerability scans and annual penetration tests and share the results with our customers. We also have automated safeguards in place that query content every six minutes to ensure the system is in compliance. If a concern arises, services are automatically shut down as the issue is addressed.
How does the Change Healthcare cyberattack change contemporary thinking when it comes to the need for cybersecurity insurance?
Just two years ago, a cybersecurity insurance policy valued at $5 million was considered adequate coverage for a SaaS provider. Now, some healthcare organizations request proof of coverage as high as $25 million before signing on with a vendor due to the level of risk involved.
Find out not just whether a population health management provider is insured in the event of a cyberattack, but also to what extent.Also important: Ask what percentage of that coverage could be applied toward retrieving any breached data in the event of an attack. Cyber insurance policies can help cover the financial losses that result from cyber events and incidents. Such coverage often helps with the costs associated with remediation as well.
What are other ways healthcare organizations can mitigate the risks associated with population health management?
The very nature of population health management involves sharing of information from multiple entities across multiple systems. That’s why it’s critical that healthcare leaders anticipate the risk of exposure to cybersecurity threats from systems that lie outside the healthcare organization’s control. For example, as the use of AI proliferates in healthcare—including among vendors—the potential for sensitive patient data to be leaked when AI-powered analysis is incorporated increases. Now is the time to ask tough questions of your population health management vendor around how your information is protected and their capabilities for response in the event of a cyber event. Your organization’s relationships with patients and its standing in the healthcare community depend on due diligence.
About Matthew Fahner, CCSA, COO of Chordline Health
Matt has 15 years of experience in information systems. As COO of Chordline, he ensures that all Chordline products align not only with clients’ clinical needs but also with their technology needs, including clinical/technical communication barriers, data security, and data integration. With a background including system administration, software development, and implementation, he understands the inherent challenges related to healthcare software. Working with his US-based team, Matt oversees the design, development, and support of all Chordline products. Matt holds a BS in Computer Science.