But organizations must also understand the security risk inherent in data collection and make sure the CISO has a seat at the strategy table.
Today’s consumers have high expectations when it comes to customer service. They want easy access to information, instantaneous and constant connections through their channel of choice, and timely and personalized communications. Consumers of healthcare services are no different. Payer and provider organizations are now building strategies to meet these needs and differentiate themselves to customers who are more involved in purchasing and managing their healthcare than ever before. To do so effectively, they need to “know” and understand consumers better—and that, in turn, requires mining all available consumer data.
The potential payoff is great: lower delivery and administrative costs, greater patient and member retention, more effective marketing campaigns, and better decision making. But there is also a significant and often unanticipated risk. If not planned carefully, these customer-centric initiatives can present new cybersecurity risks—in particular, risks associated with handling, managing, and maintaining sensitive data such as protected health information (PHI) or personally identifiable information (PII) and complying with standards such as HIPAA that regulate handling and use of protected data. In today’s market, three disparate organizational functions are heavily involved with customer data:
- A customer experience function, which is responsible for expanding on new patient/member interactions or experiences through channels such as portals or mobile applications and for enhancing customer relationship management (CRM) capabilities
- A data analytics function, which turns customer information into business insight that can help the organization reduce costs, improve services, and/or improve customer experience
- The IT security function, which is tasked with adequately protecting customer information and securing interactions across a variety of channels
Oftentimes, these functions pursue projects in isolation, and that is where problems can arise. For example, redesigning customer experience often involves new services and databases that use and store protected data. User experience and functionality take priority, while security is often an afterthought. And when IT security designs and builds controls to reduce the risk of exposure in the event of a breach, usability and functionality are often secondary considerations—making things difficult for authorized users, including customers. Like companies in other industries, healthcare organizations are taking steps to elevate their customer experience. As they do so, these organizations must also consider the evolving implications for security, data sharing, information access, and regulatory compliance.
Security must not be an afterthought. After all, the quickest way to erode the experience and lose consumers’ trust is to mishandle their information—or worse, fail to take the right steps to avoid a customer data breach.
This article was originally published in the February 2017 issue of Seattle Business.