Healthcare Security: Three Trends Driving Efficiency and Personalization

By Hugh Tower-Pierce, Chief Security Officer, Oscar

Hugh Tower-Pierce, Chief Security Officer, Oscar

U.S. healthcare has long been a complex system, with numerous hoops to jump through in order for each patient to receive the medical care they need at any moment in time. My background is in finance, which is often regarded as a highly regulated industry. However, since joining tech-driven health insurance company Oscar, I’ve found that healthcare is in a league of its own, with privacy and security requirements that can vary across the federal and state levels, as well as our business partners.

The advent of COVID-19 has further complicated our industry, acting as a pressure cooker for driving innovation: with Americans staying home, we’ve seen a spike in demand for virtual care.

Oscar is no stranger to scaling technology that is nimble. It has been core to our approach since our founding in 2012. We’ve built our own full-stack technology platform around the consumer journey, and related security processes and protocols each step of the way. The Security Team at Oscar incorporates top-level business considerations into everything we do as the company scales – over the past three years alone, our membership has tripled to approximately 420,000 members across 19 U.S. states.

As COVID-19 has accelerated timelines for cross-sector transformation, it has naturally created security challenges – as well as trends in opportunities for accelerating innovation that drives security efficiencies and a better patient experience. Here are three.

Balancing access and personalization

One of the greatest potential advantages of real-time access to data is the ability to tailor experiences and services down to the individual level. At the same time, this opportunity goes hand-in-hand with privacy regulations and fostering member trust.

Protecting patient privacy is critical: our health data is just about as personal as it gets, but ensuring the right people have easy access to information can literally mean life or death. One of Oscar’s core company values is remembering that what we’re doing is a big deal – we’re solving real world problems that can change peoples’ actual lives.

"We’ve built our own full-stack technology platform around the consumer journey, and related security processes and protocols each step of the way"

As the pandemic has evolved, Oscar has quickly scaled technology to meet member needs, such as by developing a COVID-19 risk assessment survey. We leverage the data from this survey to help guide at-risk members to the right virtual or in-person care, and support healthy members in getting care like prescriptions at home to help flatten the curve.

Naturally, these changes have come with shifting regulations and security practices. One way we’ve built our foundational technology to be adaptive to change is through our approach to identity and access management (“IAM”). We design our access controls so that Oscar Care Teams only have access to member information when it’s essential to their role. Part of the way we enable this is by assigning members dedicated Care Teams, including a few designated Care Guides and a nurse, and limiting access to member information to those teams. We’ve taken a similar approach to the launch of our new Virtual Primary Care product. A team-based approach facilitates efficient, ongoing care delivery and relationships while protecting patient privacy.  In our technology, we use a combination of well-understood open source and commercial solutions that we chose because they align with our goals to be adaptive.

Establishing data governance across varied systems and regulations

As I mentioned earlier, U.S. healthcare regulations can vary at the hyper-local level. There’s added complexity depending on what sector your company is in – from insurers like Oscar to providers and vendors – and what type of care is being delivered. Take the example of Oregon: a recent report found that there are over 2,000 regulations that apply to acute care inpatient hospitals in the state.

Data governance is a field that has increased in prominence over the past several years, and one that has exciting potential for healthcare. Governance enables security professionals to speak the same language as other key stakeholders both internally and externally, across product types and markets. We’re embracing this area at Oscar, creating dedicated headcount and work streams within the Security Team. As we continue to expand our lines of business and strategic partnerships, having a team that is dedicated to taxonomy will be critical to getting partners up-to-speed more quickly and scaling across the organization

Scaling privacy renewals along with user needs

As transformation makes its way across sectors of healthcare and the U.S. as a whole, scalable, consistent processes for renewed privacy and identity management will be essential. Oscar continues to expand to new markets each year, and we plan to significantly grow our geographic footprint for the fourth year in a row in 2021, pending regulatory approval. Expansions bring new partnerships, such as with hospital systems and pharmacies, that are critical to our success in each market. They also bring new requirements for how we handle member information.

Whether we’re onboarding a new provider partner or vetting a new tool like SMS messaging, we conduct third-party risk assessments on our stakeholders who may touch member data. We layer assessments on top of other security practices like access recertification and multi-factor authentication to ensure that we remain a trustworthy custodian of our members’ data as they receive care.

Healthcare is literally and figuratively a lifelong service. True innovation requires thinking about the lifelong cycle of patient experiences and data, and security professionals play a key role in understanding and predicting the risks at each phase of that lifecycle. As our industry changes at the current rapid pace, we work to create repeatable, efficient processes that can be both agile to unexpected change and scalable with growth.

Weekly Brief

Top 10 Risk Management Consulting/Services Companies - 2020
Top 10 Risk Management Solution Companies - 2020

Read Also

Innovation Exposes Payment Vulnerabilities

Innovation Exposes Payment Vulnerabilities

Guy Berg, Vice President, Payments, Standards & Outreach Group, Federal Reserve Bank of Minneapolis
Strategies to Unleash the full Potential of your Intelligent Automation (IA) Initiative

Strategies to Unleash the full Potential of your Intelligent Automation (IA) Initiative

Adrian Iaiza, Formerly Head of Process Automation and Improvement, TAL Australia
Open Sources, Open Doors or How to Innovate in a Competitive Cloud Market

Open Sources, Open Doors or How to Innovate in a Competitive Cloud Market

Garrick Stavrovich, Lead Product Manager for Nasdaq’s Global Information Services
Working More Effectively with Enterprise Risk Management

Working More Effectively with Enterprise Risk Management

Eric Bonnell, SVP, Manager–Technology and Asset Risk, Atlantic Union Bank
No 'Silver bullet' answer for Cybersecurity, but Risk Mitigation is Possible

No 'Silver bullet' answer for Cybersecurity, but Risk Mitigation is Possible

Marc Ashworth, Chief Information Security Officer, First Bank
Captives' Value Rising as Tools for Resilience

Captives' Value Rising as Tools for Resilience

Steven R. Bauman, Head of Global Programs and Captive Practice in North America, AXA XL