Protecting Healthcare Data: Part 1 – A Conversation with HealthAxis Experts

For this year’s Data Privacy Day, we sat down with our very own Tony Gambino, Cyber Security Engineer, Ralph Pugh, Information Security Analyst III, and Milonda Mitchell, Compliance Officer, to discuss the future of data privacy in the healthcare world.  

In this two-part blog series, we will break down the following:  

• Risks and Challenges with Data Privacy 

• Emerging Trends in Cybersecurity 

• How HealthAxis Addresses Data Privacy 

• Essential Technologies 

• Regulations and Compliance Around Healthcare-related Data Privacy 

What Is Data Privacy Day? 

First initiated in Europe in 1981 as “Data Protection Day,” with the signing of Convention 108 on January 28th, which was the first legally binding international treaty dealing with privacy and data protection. In more recent years, this day has become known as “Data Privacy Day” and is celebrated across the world.¹ 

The National Cyber Security Alliance (NCSA) assumed leadership of Data Privacy Day in 2011. A distinguished advisory committee of privacy professionals advises the NCSA. It is a nonprofit, public-private partnership dedicated to promoting a safer, more secure, and more trusted Internet. 

In the context of healthcare, this translates to the protection of member information, a responsibility that healthcare payers take seriously. The Health Insurance Portability and Accountability Act (HIPAA) in the United States is a testament to the importance of data privacy, ensuring that member information is kept confidential and secure.  

Q: Why is data privacy more critical in the healthcare insurance industry today more than ever?  

Ralph: The rise of data-sharing initiatives, interoperability standards, and artificial intelligence introduces new privacy concerns, requiring healthcare payers to adopt robust safeguards to maintain trust and regulatory compliance. In the world of healthcare, data privacy transcends regulatory compliance—it directly impacts real lives. Safeguarding our members’ sensitive information is more than a duty; it’s a daily commitment to trust. 

Tony: Data privacy is more critical than ever due to the increasing digitization of healthcare, the proliferation of interconnected systems, and the growing reliance on electronic health records (EHRs). Healthcare payers are prime targets for cyberattacks because the data they handle—medical histories, financial information, and personal identifiers—is incredibly sensitive and lucrative on the black market. 

Q: What are some of the emerging trends in cybersecurity that healthcare payers should be prepared for?  
Ralph: As we see regulations continually evolve, this creates a moving target for healthcare organizations trying to keep member data safe and compliant.  

• Technology Transformations: AI-driven analytics are becoming more common. These innovations now require fresh thinking about increased security measures. For example, we now have to look at keeping data safe when it moves from a smartwatch to a provider’s network to a plan’s claims processing system. 

• Rising Cyberthreats: Phishing and malware are just two examples of growing cyber threats. KnowBe4 recently shared that last year saw a 40% increase in phishing attacks coming from generic top-level domains (gTLDs).² As well as a 703% increase in credential phishing attacks.³ These are topics that members should be made aware of while avoiding fearmongering. 

• Balancing Speed and Security: Innovation in claims processing is fantastic for quicker reimbursements but ensuring IT and Security teams have fully vetted and tested the technology is key. Pushing the envelope on efficiency is a common goal among companies, but taking time to understand these new processes and test their security is the best way to keep member data secure. 

Tony: 

• Ransomware-as-a-Service (RaaS): Increasingly sophisticated ransomware attacks are targeting healthcare organizations, requiring advanced detection and response strategies. Setting up regular tests and training for this kind of attack will help decrease the risk and improve the internal culture around privacy awareness.  

• Zero Trust Architecture: Healthcare payers are moving toward “never trust, always verify” models to limit insider and external threats. Having systems in place like 2-factor authentication (2FA) helps mitigate instances where internal accounts can be accessed.  

• AI-Driven Threat Detection: Artificial intelligence is being used for real-time threat monitoring and predictive analytics. This is a great way to ensure your systems are being monitored at all times, for example, during non-work hours and holidays.  

• Third-Party Risk Management: Increased reliance on vendors and partners necessitates stronger oversight of external risks. Taking the time to review all third-party vendors and their own technology and processes can help mitigate risks when onboarding a new partner. Once onboarded, regular risk management testing and analysis is ideal to maintain security.  

• Data Privacy Enhancements: With regulations tightening, healthcare payers must adopt encryption, anonymization, and secure data-sharing practices. These safeguards can be done both by internal security and IT teams. However, it is ideal to have a trusted third-party company analyze your security practices to ensure data protection.  

Q: How does HealthAxis currently address the unique cybersecurity challenges in the healthcare industry? 

Ralph: At HealthAxis, we are constantly monitoring our defenses. This includes rigorous testing, both from internal and external sources. We employ a Security Operations Center (SOC) that monitors our applications 24/7/365, on top of our own team’s monitoring.   

Staying ahead of the threat is vital to protecting the data. HealthAxis implements monthly external third-party phishing simulations, quarterly internal phishing exams, as well as yearly external third-party penetration testing.   

Tony: Comprehensive training ensures our teams are equipped to identify and mitigate security risks effectively. This includes training that strengthens awareness and promotes compliance with a focus on reducing human error. A well-trained team fosters a workplace culture that prioritizes security, encouraging proactive behavior like reporting incidents and following best practices for data protection. 

Q: What technologies are essential for maintaining data privacy?  

Ralph:  

• Advanced Encryption Standards: All sensitive data should be encrypted in transit and at rest, ensuring secure communications and storage. 

• Real-time Threat Monitoring: Continuous surveillance of networks and systems can ensure quick detection and response to threats as they arise, ensuring that potential security breaches are identified and mitigated swiftly. This proactive approach helps to safeguard sensitive information against emerging cyber threats. 

• Regular Security Audits: Frequent internal and external audits ensure systems align with the latest industry standards and regulations. This can also help detect and avoid new types of threats, as they are continuously evolving. 

• Anonymization: This best practice includes employing data anonymization techniques to protect personal and sensitive information while removing or masking identifiers that tie data to specific individuals. This not only helps in compliance with privacy laws but also minimizes the risk of data misuse in the event of a data breach. 

Tony:  

• Employee Training Programs: Comprehensive training ensures our teams are equipped to identify and mitigate security risks effectively. Not only is it vital to have an internal training program in place, but utilizing third-party training programs is a great way to keep your team up to date on the latest cybersecurity trends. According to KeepNet, cyber security awareness training leads to a 70% reduction in security-related risks.⁴ 

• Zero Trust Framework: We limit access to sensitive systems based on strict authentication and continuous verification protocols. Imprivata came out with a study that shows 65% of cyberattacks could have been prevented with 2FA.⁵ 

• System and Application Updates: Regularly updating systems and applications is essential for maintaining data security. Software vendors frequently release patches to address newly discovered vulnerabilities that cyber attackers could exploit. Keeping operating systems, applications, and security software up to date ensures protection against known threats, minimizes the risk of breaches, and enhances overall system performance. Automated update mechanisms and patch management policies should be implemented to ensure timely updates without disrupting business operations. 

In closing, what is the long-term importance of data privacy for healthcare insurers?  

Ralph: Data privacy is an ongoing commitment, not a one-time effort. For healthcare payers, it is about more than avoiding breaches and fines. It’s about protecting the trust and well-being of members. Investing in robust data privacy measures builds brand trust and helps build a safer, more secure future.  

Strong data privacy practices reduce the risk of costly breaches, legal penalties, and reputational damage. Moreover, as the industry moves toward personalized medicine and data-driven healthcare solutions, maintaining robust privacy standards will enable insurers to harness data’s potential responsibly and ethically. Ensuring data privacy is not just a regulatory requirement but a moral imperative for fostering innovation. 

Tony: Data privacy is foundational to healthcare companies’ long-term success and sustainability. Beyond ensuring compliance with regulations, safeguarding data builds trust with members, which is critical for maintaining retention. Strong privacy practices not only protect against legal and reputational risks but also enhance member experiences and provide a competitive edge. By prioritizing data security, healthcare organizations can foster trust, drive innovation, and ensure long-term growth in an increasingly digital landscape. 

Join us for the second part of the Q&A next time with Milonda Mitchell, Compliance Officer at HealthAxis.  

At HealthAxis, we are committed to supporting health payers in these efforts. Our solutions are designed to improve member engagement, streamline communication, and ensure compliance, ultimately enhancing the overall member experience. Connect with our experts for more detailed insights and practical strategies on how we can support your healthcare organization.  

Sources:
¹ Data Privacy Day, U.S. Department of Energy
² The 40% Rise of Phishing Attacks: How New Domain Extensions Are Fueling Cyber Crime, KnowBe4
³ Credential Phishing Increased by 703% in H2 2024, KnowBe4
⁴ 2024 Security Awareness Training Statistics, keepnet
⁵ Why two-factor authentication is critical for healthcare organizations, Imprivata