ACOs Tackle Security Challenges

by John Moore, iHealthBeat Contributing Reporter

Sharing is typically a good thing, but in the IT world it also introduces the risk of data loss.

So it shouldn't be surprising that accountable care organizations -- groups founded on the premise that exchanging data among providers will improve patient care -- are viewed as potentially vulnerable.

A study conducted by Ponemon Institute, a privacy and data protection research center, found that two-thirds of the health care organizations that are part of an ACO said the risks to patient privacy and security have increased "due to the exchange of patient health information among participants."

Ponemon's Fourth Annual Benchmark Study on Patient Privacy & Data Security, released in March, noted that 41% of ACO participants deemed it too early to tell whether their organizations had experienced changes in the number of unauthorized disclosures of protected health information, while 23% acknowledged an increase.

Respondents to the Ponemon survey, including non-ACO participants, reported a wide range of security worries. Here are their top five concerns:

  1. Employee negligence: 75%;
  2. Use of public cloud services: 41%;
  3. Mobile device insecurity: 40%;
  4. Cyber attackers: 39%; and
  5. Employee-owned mobile devices: 34%.

The risk of exposing patient data is one that ACOs will have to live with and mitigate. An ACO's core tasks include coordinating patient care and improving the health of at-risk populations. ACO participants have to share data among themselves to accomplish those objectives.

The security challenge is playing out across hundreds of ACOs. Leavitt Partners, a health care consulting firm, estimated the ACO population at 488 as of July 2013; the company said that number represents more than a doubling of ACOs since June 2012. CMS chartered the first pioneer ACOs in late 2011. 

The organizations continue to refine their security approaches.

"Trying to construct a security and privacy model that respects the individual [physician] offices and the financial independence of these organizations -- while still focusing on the patient -- has been very challenging," said Shawn Griffin, chief quality and informatics officer at MHMD Memorial Hermann Physician Network, an ACO in Houston that partners with the Memorial Hermann health system.

Managing Security

One challenge ACOs face is maintaining security in highly distributed setting.

MHMD, for instance, works with 1,800 physicians in 600 offices in a Medicare shared savings ACO, Griffin said. More than 80% of MHMD's physicians are independent doctors as opposed to employees of the Memorial Herman Health System.

Against that backdrop, MHMD works to instill security practices and HIPAA principles among its physician members.

"We have a provider agreement with our physicians that talks about HIPAA-compliant data sharing," Griffin said.

MHMD's mission is to help member physicians improve quality and part of that task involves boosting security, Griffin noted. A Medicare ACO has an opportunity to earn financial rewards -- savings to be shared among participants -- based on reducing the cost of care and increasing its quality. Under this quality improvement regimen, physicians compile data on their patient populations and submit reports to CMS. That data must be securely collected, stored and transmitted, Griffin noted.

The ACO's security outreach also involves its Meaningful Use University. MHMD supports physicians' electronic health record projects and helps them apply for the federal meaningful use program, which provides financial incentives to physicians who deploy EHRs in accordance with CMS criteria. A security risk assessment is one item providers must check off, and MHMD offers assistance.

"We run security audits for them so they can qualify for those incentives," Griffin said.

A Running Start

The job of securing an ACO is somewhat easier when the organization can leverage existing resources. A hospital system or physician group often sponsors an ACO, allowing it to tap into the parent entity's processes and systems.

Sharp HealthCare provides one example. The San Diego-based health system, which includes four acute-care hospitals, three specialty hospitals and two affiliated medical groups, participates in both Medicare and commercial ACOs.

Vonda Brown, director of decision support systems at Sharp HealthCare, said the health system maintains tight security protocols. So, it didn't have to do anything new security-wise when it started participating in ACOs, other than exchange encryption keys with the new entities and segregate CMS Pioneer ACO data, she said.

Brown said Sharp HealthCare's security profile made it easier to accept a new line of business.

"It wasn't like we were starting from scratch," she said.

Sharp HealthCare's security process includes a number of elements for protecting ACO data. For data transmission, the health system uses secure file transfer to receive data into the Sharp HealthCare domain and core systems. Within the health care system's firewalls, the data are ingested into a data warehouse. Any data that are subsequently added to a separate data analytics platform are moved via SFTP, Brown said.

Once they are transferred, data are encrypted and decrypted on the Sharp HealthCare side. In addition, Sharp HealthCare uses role-based access control on all of its systems to place restrictions on the types of data employees can use. The health system's authentication capability is built on Lightweight Directory Access Protocol and a single sign-on system.

MHMD, meanwhile, has been able to make use of processes it previously put in place as a physician network. MHMD established a clinical integration network about eight years ago, bringing together independent and employed physicians in a quality improvement program. The clinical integration network set up processes for data exchange and quality information that helped set the stage for the ACO transition.

Those processes, Griffin said, "have been fundamental for our success as an ACO."

Technology Change

Security becomes an iterative task for ACOs, since technological change introduces new vulnerabilities. In one case in point, the growth in smartphone and tablet use among doctors creates opportunities for communications, but also opens the door to HIPAA violations.

Griffin noted that issues such as secure texting didn't exist just a few years ago. MHMD now uses DocbookMD's Docbook Enterprise, a Software-as-a-Service-based HIPAA-compliant mobile communications platform. He said the product lets MHMD physicians connect with each other and to other physicians in the Houston metro area.

Tim Gueramy, CEO of DocbookMD, said his company's technology uses 256-bit Advanced Encryption Standard encryption to secure its application and to protect data during transmission. He also pointed out the PHI doesn't live on mobile devices, but only in encrypted cloud storage. Docbook Enterprise is hosted on Microsoft's Azure cloud. DocbookMD has a business associate agreement with Microsoft and also maintains BAAs with Docbook enterprise clients and users, Gueramy explained.

Mobile communication, however, isn't likely to be the last of MHMD's security challenges. Griffin said he doesn't know what security issues will surface next. The important thing is to have an overarching security approach.

"When technology changes, questions come up," he said. "You have to have guiding principles, but the execution of the principles may change as the technology does."


to share your thoughts on this article.