Blog Post February 8, 2017 Value-Based Care Makes Cybersecurity Even More Critical Authors Gerard Nussbaum In Brief: Value-based care, with its emphasis on data exchange, is a boon to patients. It also increases the risk of exposure to security threats. Collaboration with providers across the care continuum is at the heart of value-based care. Regardless of the model implemented—accountable care organization, patient-centered medical home, clinically intergrated network—providers increasingly find themselves part of a network of organizations that share a common goal: coordinate care in a manner improves the health of a population while containing costs, delivering efficiencies, and generating savings. And yet, care coordination also represents value-based care’s biggest vulnerability. Successfully operating a network of care requires sharing a wealth of data—patient health information (PHI), quality-of-care metrics, performance analytics, and more—across a broad community of partners. And for hackers, that data sharing effectively puts a bullseye on every healthcare organization. Security in a Connected WorldCybercrime was a frequent news topic in 2016. Stories about data breaches, ransomware attacks, or fines levied due to HIPAA violations prompted outrage and anxiety among patients and providers. This is especially concerning for healthcare networks that are growing in scope and relying increasingly on technology to make care delivery more effective and convenient. With PHI being transmitted and shared through so many access points and across so many organizations, the task of effectively managing privacy/security may seem impossible. But we have come too far as a national healthcare system to relinquish the advantages of care coordination and effective population health management, which are only made possible through the sharing of electronic health information. How can provider organizations minimize security and privacy risks, while maximizing data sharing to gain the benefits of coordinated care? Privacy as a ProcessThe vendor market offers a cacophony of security products and services, some of which may be part of an effective approach to protecting health data. But a technical solution by itself isn’t enough. Providers must approach privacy/security as an organizational function, not just a technology issue. Securing data is an ongoing process that requires constant monitoring, updating, and refining, as well as focused senior leadership attention. Providers must be aware of and actively monitor the various interfaces created between the internal environment and outside entities. Such a process must be dynamic and not only performed periodically, but be triggered by events such as parternship affiliation agreements.In a connected world, providers need to ensure compliance not only within their own four walls, but across their network of partners and vendors. Partnering, contracting, and collaborating with external entities must be accompanied by verification of those entities’ ability to meet a baseline of security standards. And that baseline must be updated and monitored over time.More than anything, security must be high on the agenda of executives and boards governing provider organizations. As the race to effectively compete in a value-based environment drives many boards to seek new partnerships, the reality of increased risk and exposure must be introduced and factored into strategic plans.Every healthcare organization needs to make cybersafety a priority, and we’re making it a priority as well. We’ll dig more deeply into the issues raised in this post and explore cybersecurity and privacy issues throughout the year. Keep checking this space for further insights, and please share your thoughts on this evolving issue.