Healthcare is becoming increasingly digital. We have data being exchanged, patient portals, electronic health records, and much more. Technological innovation in healthcare is progress, especially when it can reduce administrative task burdens, expedite and streamline processes, and improve patient care. However, as we move increasingly online, many healthcare organizations are left wondering how truly safe healthcare data is and what organizations can do to strengthen and ensure security.<\/span><\/p>\n This month, we sat down with Rich Rupp, senior vice president of product at Modio Health, to find out where the real threats are and to discuss how companies can keep their workforce and data safer.<\/span><\/p>\n Modio Health: <\/b>Can you talk about some trends you are seeing in the security space as it pertains to healthcare?<\/span><\/i><\/p>\n Rich Rupp: <\/b>Identity is a big issue, inside and outside of the healthcare sector. And a trend I\u2019m starting to see with all of the data sources we use to gather information for the purpose of credentialing providers is that there\u2019s this growing retraction from using sensitive information to find an individual. So we\u2019re starting to realize, \u201cOkay, I\u2019m using a Social Security number to search for the person, let\u2019s remove the dependency on that and find a safer way.\u201d Date of birth is another very sensitive Personal Identifiable Information (PII) value. In the past, I\u2019d be able to search your name, date of birth, and Social Security number to find you and verify it\u2019s exactly you. Well, we\u2019re now saying, \u201cDon\u2019t give me that information, give me something else that\u2019s public.\u201d So in credentialing, using a provider\u2019s name and license number instead to find them. We\u2019re really trying to drop those sensitive values in the provider credentialing space. We want to use open values that are publicly available as opposed to those that are sensitive and more protected.<\/span><\/p>\n Modio Health: <\/b>What are some more of the bigger trends we\u2019re seeing gaining traction in healthcare related to AI, such as ChatGPT, for example? What are the red flags?<\/span><\/i><\/p>\n Rich Rupp: <\/b>It\u2019s a reality with the advent of ChatGPT and automated tools that we\u2019re actually inadvertently exposing sensitive information to try and create better, more efficient processes. Provider credentialing is ripe for automation, and we are going to look for ways to automate where we can; however, we need to be especially cautious about the prompts and the data that we give to a tool like ChatGPT, for example.\u00a0<\/span><\/p>\n I see a few flags around tools like ChatGPT because we literally don\u2019t know all of the ways that it could be misused. If I were to put a Social Security number into a ChatGPT tool, I don\u2019t know how it behaves when it returns a response to me. I don\u2019t know, on the backend, if the Social Security number I just provided is getting logged into some system that is then being consumed by another process. By doing that, I just gave sensitive information away that\u2019s being recorded by another system.\u00a0<\/span><\/p>\n Additionally there are those systems that are being leveraged to automate malware attacks and phishing attacks. So all of these sources that we\u2019re getting data from, we have to think about what\u2019s being passed back and forth and how to stop passing those sensitive values. Then, when we introduce new tools like ChatGPT in our organizations, we also have to educate users on how to navigate them safely. As a healthcare organization, you might be tempted to introduce a new tool like ChatGPT for the purpose of automating a process or speeding up a process. However, it\u2019s essential to consider what sensitive information you might be giving the tool that allows that information to now leave the organization. It\u2019s helpful to have an organization-wide policy that\u2019s globally applied and consistent when it comes to tools such as this.<\/span><\/p>\n Modio Health: <\/b>How does Modio protect secure provider data, and why is this important?<\/span><\/i>\u00a0<\/b><\/p>\n Rich Rupp: <\/b>At Modio we stay away from HIPAA-related data as well as Payment Card Industry (PCI) data, such as credit card information. We do collect PII, including state licenses, DEA licenses, state-controlled substance licenses, and so forth. So for us, encryption is huge, specifically at the browser level. It\u2019s encryption through the use of a service like Amazon offers called Key Management Service, and then there\u2019s also encryption at the database level. There\u2019s encryption at multiple levels. We also have strict identity and access management policies surrounding who can access what information. An example: We use Okta, a third-party platform for identity and access management for users to safely access OneView, Modio\u2019s cloud-based credentialing solution, ensuring a secure connection between the user and the platform.<\/span><\/p>\n Modio Health: <\/b>How does Modio use data?<\/span><\/i><\/p>\n Rich Rupp: <\/b>We use data for the purpose of credentialing providers. On behalf of our own company that is credentialing providers for our clients, and on behalf of our clients using our system. We by no means will resell data to any other client. We are not an aggregator of data for the purpose of selling that data to other sources, nor do we intend to be. The data is reserved and secured within OneView for its intended purpose \u2014 safely and efficiently credentialing providers.<\/span><\/p>\n Modio Health: <\/b>Any pro tips for how healthcare organizations can avoid falling prey to \u201cbad actors\u201d or phishing schemes?<\/span><\/i><\/p>\n Rich Rupp: <\/b>At Modio, we do have regular security training for our staff, including simulated phishing attempts to our employees on a regular, ongoing basis. If an employee inadvertently clicks or replies to any of the simulated emails, they have to take a mandatory training course surrounding online safety. We\u2019re definitely not trying to trick anyone, but phishing schemes can be pretty sophisticated. and we\u2019re dealing with extremely sensitive information, so it\u2019s incredibly useful to make sure your workforce is aware and alert.<\/span><\/p>\n Modio Health: <\/b>What is the most important thing healthcare organizations can do to protect themselves from data breaches?<\/span><\/i>\u00a0<\/span><\/p>\n Rich Rupp: <\/b>User education is the number one thing to prevent a person from doing the wrong thing. Educate users to be informed, alert, and aware.<\/span><\/p>\n Rich Rupp is VP of Product at <\/span><\/i>Modio Health<\/span><\/i><\/a>. Rich has led product and technology roles with Ancestry, Inflection, QuinStreet, and Niku. He is passionate about his profession, family, music, and the environment.\u00a0<\/span><\/i><\/p>\n <\/p>\n