How Safe Is Your Healthcare Organization’s Data?

“How Safe Is Your Organization’s Data?” Modio sits down with Rich Rupp, Senior Vice President of Product at Modio Health, to take a deeper look at data security and how healthcare organizations can better protect themselves.

Healthcare is becoming increasingly digital. We have data being exchanged, patient portals, electronic health records, and much more. Technological innovation in healthcare is progress, especially when it can reduce administrative task burdens, expedite and streamline processes, and improve patient care. However, as we move increasingly online, many healthcare organizations are left wondering how truly safe healthcare data is and what organizations can do to strengthen and ensure security.

This month, we sat down with Rich Rupp, senior vice president of product at Modio Health, to find out where the real threats are and to discuss how companies can keep their workforce and data safer.

Modio Health: Can you talk about some trends you are seeing in the security space as it pertains to healthcare?

Rich Rupp: Identity is a big issue, inside and outside of the healthcare sector. And a trend I’m starting to see with all of the data sources we use to gather information for the purpose of credentialing providers is that there’s this growing retraction from using sensitive information to find an individual. So we’re starting to realize, “Okay, I’m using a Social Security number to search for the person, let’s remove the dependency on that and find a safer way.” Date of birth is another very sensitive Personal Identifiable Information (PII) value. In the past, I’d be able to search your name, date of birth, and Social Security number to find you and verify it’s exactly you. Well, we’re now saying, “Don’t give me that information, give me something else that’s public.” So in credentialing, using a provider’s name and license number instead to find them. We’re really trying to drop those sensitive values in the provider credentialing space. We want to use open values that are publicly available as opposed to those that are sensitive and more protected.

Modio Health: What are some more of the bigger trends we’re seeing gaining traction in healthcare related to AI, such as ChatGPT, for example? What are the red flags?

Rich Rupp: It’s a reality with the advent of ChatGPT and automated tools that we’re actually inadvertently exposing sensitive information to try and create better, more efficient processes. Provider credentialing is ripe for automation, and we are going to look for ways to automate where we can; however, we need to be especially cautious about the prompts and the data that we give to a tool like ChatGPT, for example. 

I see a few flags around tools like ChatGPT because we literally don’t know all of the ways that it could be misused. If I were to put a Social Security number into a ChatGPT tool, I don’t know how it behaves when it returns a response to me. I don’t know, on the backend, if the Social Security number I just provided is getting logged into some system that is then being consumed by another process. By doing that, I just gave sensitive information away that’s being recorded by another system. 

Additionally there are those systems that are being leveraged to automate malware attacks and phishing attacks. So all of these sources that we’re getting data from, we have to think about what’s being passed back and forth and how to stop passing those sensitive values. Then, when we introduce new tools like ChatGPT in our organizations, we also have to educate users on how to navigate them safely. As a healthcare organization, you might be tempted to introduce a new tool like ChatGPT for the purpose of automating a process or speeding up a process. However, it’s essential to consider what sensitive information you might be giving the tool that allows that information to now leave the organization. It’s helpful to have an organization-wide policy that’s globally applied and consistent when it comes to tools such as this.

Modio Health: How does Modio protect secure provider data, and why is this important? 

Rich Rupp: At Modio we stay away from HIPAA-related data as well as Payment Card Industry (PCI) data, such as credit card information. We do collect PII, including state licenses, DEA licenses, state-controlled substance licenses, and so forth. So for us, encryption is huge, specifically at the browser level. It’s encryption through the use of a service like Amazon offers called Key Management Service, and then there’s also encryption at the database level. There’s encryption at multiple levels. We also have strict identity and access management policies surrounding who can access what information. An example: We use Okta, a third-party platform for identity and access management for users to safely access OneView, Modio’s cloud-based credentialing solution, ensuring a secure connection between the user and the platform.

Modio Health: How does Modio use data?

Rich Rupp: We use data for the purpose of credentialing providers. On behalf of our own company that is credentialing providers for our clients, and on behalf of our clients using our system. We by no means will resell data to any other client. We are not an aggregator of data for the purpose of selling that data to other sources, nor do we intend to be. The data is reserved and secured within OneView for its intended purpose — safely and efficiently credentialing providers.

Modio Health: Any pro tips for how healthcare organizations can avoid falling prey to “bad actors” or phishing schemes?

Rich Rupp: At Modio, we do have regular security training for our staff, including simulated phishing attempts to our employees on a regular, ongoing basis. If an employee inadvertently clicks or replies to any of the simulated emails, they have to take a mandatory training course surrounding online safety. We’re definitely not trying to trick anyone, but phishing schemes can be pretty sophisticated. and we’re dealing with extremely sensitive information, so it’s incredibly useful to make sure your workforce is aware and alert.

Modio Health: What is the most important thing healthcare organizations can do to protect themselves from data breaches? 

Rich Rupp: User education is the number one thing to prevent a person from doing the wrong thing. Educate users to be informed, alert, and aware.

Rich Rupp is VP of Product at Modio Health. Rich has led product and technology roles with Ancestry, Inflection, QuinStreet, and Niku. He is passionate about his profession, family, music, and the environment. 

 

Learn more about Modio’s Credentialing Platform today.