Encrypt Everything and Trust No One

You know your healthcare organization’s leadership is concerned with security – this much isn’t new. But mounting digital security concerns simply pile on to the basic patient privacy and security concerns already well known in all healthcare organizations. While other industries like retail contend with breaches of credit information, your responsibility is greater and more complicated. Breaches of healthcare data can involve much more sensitive information. You and every other member of the organization must act with due care to avoid harm to patients or their families. So, how do you protect your healthcare consumer data?

First, encrypt everything, everywhere possible. But don’t stop there!

Secondly, ensure that your systems (including vendor systems) adhere to the principle of least privilege, the concept that only authorized individuals, processes, or systems have access to information on a need-to-know basis. Key to this concept is proper assignment of roles and access rules for users.

Third, use constrained user interfaces. A constrained user interface is one that doesn’t even present the choice of functionality to a non-authorized user. So each user only sees the functions available to his or her account.

Fourth, audit all user actions, views, reports generated. Make a trail for forensic analysis by your security teams should a security or privacy investigation be merited.

The guidelines above are designed to avoid certain known problems – for example, granting access too widely. Consider the case where anyone who does have access to your consumer data ends up with access to all of your consumer data, no matter their role or knowledge of PHI (or other) compliance requirements.

Imagine also the case where data from your healthcare CRM is needed for a targeted campaign for free cancer screenings and is sent in batch to the marketing department to build a list for social advertising. Either someone with the essential PHI knowledge has to manually clean that data – a time consuming process – or the marketing department receives sensitive, unnecessary information about diagnoses and morbid conditions, violating PHI.

Now imagine a technology solution with built-in rules-based permissions so that different departments and roles can access only the information they need without seeing any private information that violates PHI. In our example above, your marketing department then has advanced capabilities for segmenting and modeling your consumer base in order to build a list for an audience with a propensity to respond to any number of campaigns for awareness or engagement while your clinical officers can build population health campaigns based on clinical data they’re allowed to have access to.

Why Rules Matter 
The age of information is here. We’re dealing with an amount of data unprecedented in human history. But, without knowing how to segment that data and create predictive models from it, it’s essentially useless. Marketers need: models to create look-alike audiences to create more engaging campaigns and personalization segmentation to create relevant and valuable content and offers plus advanced capabilities to send things like lapsed screening reminders based on when the last time a consumer had something like a mammogram with no diagnosis of breast cancer or mastectomy procedure.

Clinicians need: segments based on risk-level to help with population health and care coordination campaigns and segments for other communication from appointment and medication reminders to bill pay. Understanding big data and security for that data are and will continue to be major concerns for your healthcare organization. The key to protecting your consumers while still making use of your data is to have a foundation in known security practices such as least privilege. Finding a technology partner that understands these rules, and the importance of healthcare security specifically, will help turn your big data into actionable insights that drive better population health and consumer experiences.

Related Taxonomy
  - Privacy