The healthcare industry is in a constant state of innovation – not just new tools and technology, but new regulations for sharing health data, and new standards for protecting it.
I interviewed Bill Alfveby, Surescripts Chief Information Security Officer, to better understand why it’s so critical that we balance the opportunities innovation affords us with the need to protect the privacy and security of patient data.
When it comes to security and privacy, what is unique about health information?
Patient health information is incredibly sensitive and is even more valuable than consumer financial information.
Consider that when an individual’s credit card is stolen, there is a limit to their liability. The bank simply cancels their credit card and issues a new one, so the risk to the consumer is contained or eliminated.
Depending on what is included in a patient’s medical record, the data can be used to steal and fraudulently assume the identity of a patient in a wider variety of ways for a longer period of time, making it much more damaging if compromised. Unlike a credit card, you can’t cancel and request a new date-of-birth or social security number.
This is why a complete set of a patient’s healthcare data is worth hundreds of dollars or more, while information like a credit card number sells for less than $5 on the black market.
What are the types of privacy and security mechanisms that Surescripts has in place?
The information that crosses the Surescripts network is critical to patient care, so it's important that we maintain extremely high levels of privacy and security. Healthcare professionals and their patients need to know they can rely on Surescripts, so we've built infrastructure that helps manage security and privacy risks at all levels.
All of our solutions rest on the power of the Surescripts network, built to maintain industry-leading reliability, security and scalability. Our foundational trust fabric creates confidence in data exchange among care providers, the integrity of the system, and how shared data can and cannot be used.
Surescripts has built its privacy and security programs to defend against many different types of threats and attacks. And we spend a lot of time thinking of scenarios and then eliminating the risks we discover.
We think about everything from potential mistakes on the part of well-intentioned employees or partners that could put patient information at risk to malicious individuals who have ever-easier access to increasingly powerful tools for acquiring data. We think about nosy neighbors or potential employers who might seek out a patient’s prescription information without the patient’s knowledge. And we think about the attackers that have seemingly endless resources like organized crime.
Our philosophy is “defense in depth,” which means that we have multiple layers of controls that overlap to better protect our patient data and the integrity of the Surescripts network. These controls span technology, processes and people.
Surescripts protects the privacy and security of personal health information in accordance with applicable data protection laws, including HIPAA and strict privacy and security requirements in our contractual agreements with all participants in the Surescripts Network Alliance.
Surescripts has implemented appropriate privacy safeguards to prevent unlawful use or disclosure of personal health information. We also have a strong governance program so that leaders have visibility into the strength of our controls, and everyone at Surescripts—regardless of their role—has a strong grasp of their obligation to protect patient health information.
What makes our privacy and security measures different than others? What happens if they’re not in place?
Many organizations have deep security mechanisms in place, but there are a few things that make us different.
First, we have the right leadership, which means our executives understand the value of exceptional privacy and security measures. This has fostered a culture of respect for security at Surescripts with shared, companywide security goals.
Second, we have a real passion for testing our security controls, both through our internal testing tools and teams and expert third parties.
Finally, we use our analysis from how real attacks happen and the results of our testing to build our security strategy. We understand that, without a continual focus on finding and fixing any vulnerabilities, data security will quickly erode.
What are the certifications that Surescripts has earned? Why are they important? Why are they so difficult to obtain?
We have an impressive array of security certifications, accreditations and successful audits including our HITRUST Common Security Framework certification, our EHNAC and DirectTrust accreditations and our SOC 2 type ii audit.
These credentials represent the best-in-class approach to data security and privacy. They are formal reviews of our security program across our people, process and technology that are usually demonstrated by meeting or exceeding hundreds of requirements.
These audits and assessments include testing and sampling our controls to make sure that we actually do what we say we do. And we are transparent in sharing the results of these audits and certifications with our customers. They can see the unique value of what we do to protect the Surescripts network, especially our focus on protecting the data of patients and the people who care for them.
When it comes to the future of privacy and security at Surescripts, what are you most excited about?
First, I’m impressed by how the Surescripts Network Alliance is so willing to partner with us and each other to enhance security across the network. Last year, we focused on adopting stronger forms of encryption in transmission of data. And this year, we integrated valuable security authentication enhancements along with the adoption of NCPDP’s SCRIPT standard v2017071.
Second, as part of our strategy, we continue to make privacy and security the “easy path” for our employees. Any Surescripts team member will tell you that ensuring the privacy and security of data is a full-time exercise conducted at every level of our organization. This includes innovative training and technology that reminds people of the risks and our policies in real-world scenarios.
Finally, as a company, technology is at the heart of what we do. We are using many exciting technical controls that make use of some admittedly common buzzwords like artificial intelligence and machine learning. But the reality is that attackers are always upping their game and further automating their malicious activities, so we are continuously ensuring better end-to-end automation of our detection and defense framework.
Explore other areas of our website to learn more about how Surescripts protects patient data.