The internet, mobile apps, email, chat ... technology today has made it easier than ever to access our healthcare information. But, that also opens up the door to cybercriminals and data theft. So, what is Quantum Health doing to protect your information? We sat down with Information Security Manager Michael Morabito to find out.
QH: Michael, can you explain exactly what HIPAA is and why it's important?
MM: HIPAA—the Health Insurance Portability and Accountability Act—was passed in 1996 to ensure the confidentiality and security of protected health information (PHI).
At Quantum Health, every single person must sign a HIPAA agreement when they are hired. It is a HUGE part of our three-month new hire training program to weed out people we don't think we can trust. Before we let anyone near our members' PHI, we make sure they are trustworthy and understand the burden and responsibility of having access to that data.
HIPAA is a huge part of our culture. Once a month, we come together as a company to discuss it. And, everyone must sign a new HIPAA agreement each year. I spent 15 years in a Fortune 20 company and we never had this much interaction around HIPAA training. We can do it here because culture is hugely important to what we do.
QH: What types of member information do we protect?
MM: We don't have payment or credit card data so we don't have those specific worries. However, what we do have is healthcare information, claim data, eligibility information and social security numbers.
Knowing eligibility, who is and who is not covered by their health plan, wouldn't help a cybercriminal to steal someone's identity—they need social security numbers. We receive social security numbers on a daily basis because almost everyone in the medical industry uses social security numbers as a unique identifier. Some of our clients' plan members must maintain a certain number of hours per week to stay eligible and this list tells who is going in and out of plan eligibility.
We also have claim data, which may or may not be considered sensitive information. To us—and the law—it doesn't matter whether someone visited a provider for a cold or an STD. It is our job to protect that information at all costs.
QH: What measures do we take to keep our members' data safe?
MM: Multiple levels of state-of-the-art technology. At the very basic level, we have good, strong firewalls. We also encrypt ALL of our data. Encryption stops two things: a criminal stealing a hard drive or tapping into a transmission. Everything that enters or leaves our network goes through a number of scanners. Information such as social security numbers, doctor names and drug codes are just plain stopped. If I pulled out a list of patient data, opened up my Gmail account, copied and pasted that information into an email and tried to send it out, it would be stopped. An alert would go off and someone from the incident response team would be standing at my desk in seconds asking me what I was doing.
All of our data is stored in very safe, professionally-run data centers. We also have extensive plans for a worst case scenario situation—if we ever lost data, or if it was ever stolen, we have contracts with an identity theft protection company and would immediately offer their services to all of our members. We have a legal team, forensics experts, communications and more ready and at the wait.
QH: Any new anti-scamming technology out there that we are using or will be using in the future?
MM: One of the greatest challenges healthcare organizations face is having to write their own internal software ... including Quantum Health. Our proprietary software is very complex. We are the only ones who understand it. As we continue to develop this software to meet the ever-evolving needs of our clients and partners, we need test environments and data. Unfortunately, it is very difficult to provide a high level of quality doing tests with purely fake data, so sometimes we test with real data. Technological tokenization (also called static masking) makes it easier for us to turn real data into safe test data so we can produce a high quality application for an exceptional member experience without the risk of using copies of real information.
QH: Any closing thoughts?
MM: At Quantum Health, our culture is everything. I make a point of talking with every new hire class. Even though I'm the Information Security Manager, I talk to them about caring and accountability—and how they need both in equal proportions.