For healthcare companies, data security is a critical test

If there was a single day in which healthcare executives, technology professionals and consumers came to understand the full extent of the industry's cybersecurity vulnerability, it was January 29, 2015.

That day, Indiana-based insurer Anthem, Inc., discovered it was the victim of a sophisticated cyberattack allowing hackers to access as many as 80 million names, addresses and Social Security numbers. Simultaneously, 2,200 miles northwest, Washington-based Premera Blue Cross found a similar attack syphoned up to 11 million of its customers' records, including credit card numbers, Social Security numbers and information about individual medical problems.

These data breaches reflect an alarming trend that presents two critical challenges for healthcare companies to solve. From a technical perspective, the industry must equip itself with tools and strategies that more reliably protect patient data from these cyberattacks. At the same time, companies must develop a more nuanced understanding of how consumers respond to data breaches in order to build a strategy to address consumers' concerns and retain as many customers as possible.

A recent TransUnion survey measuring the attitudes of more than 1,200 U.S. consumers who received medical care at a doctor's office, clinic or hospital in the past two years offers a window into how consumers expect companies to respond after a breach. The survey also provided insights on how companies can expect their customers to react after a data breach.

Perhaps most concerning for victims of cyberattacks, the survey found nearly seven in 10 consumers would avoid a healthcare provider that has experienced a data breach. Given that a growing number of companies have experienced a data breach –– and consumers often face a limited number of options when selecting providers and insurers –– the ability to avoid companies that were hacked will not always be feasible. But the share of individuals who say they would actively seek alternatives based on data breaches should be a caution to healthcare executives.

The impact of cyberattacks on consumer attitudes appears even more worrisome when separated by age group. TransUnion's survey found that 73 percent of patients ages 18 to 34 are likely to switch providers following a data breach. Millennials' notoriously weak brand loyalty and their apparent impatience regarding privacy intrusions are major considerations given the value of young people in the healthcare industry.

According to U.S. Census data, more than 80 million millennials recently entered the healthcare marketplace, and their influence in picking industry winners and losers goes far beyond volume. Insurers need enough younger and healthier adults to offset the significant costs of treating older adults. A Kaiser Family Foundation report found the cost of treating 18-24 year olds averaged $1,834 per person annually, compared to $2,739 for people ages 25 to 44 and $5,511 for those ages 45-64. For some healthcare companies, losing any meaningful number of young consumers could disrupt the delicate equilibrium that keeps them competitive and solvent.

The survey findings are also instructive for developing a cyberattack response plan. From the moment a breach is discovered, consumers say they expect company officials to provide several different forms of support. To start, individuals in every age group have high expectations for how quickly companies inform the public of a data breach. Roughly half expect a response or notification within one day, and more than three in four surveyed anticipate a response or notification within one to three days.

In the wake of a cyberattack, roughly six in 10 individuals believe the company should setup a dedicated phone hotline for questions, and a majority expects a dedicated website to provide consumers with details and answer their questions. For more lasting support, 72 percent expect companies to offer at least one year of free credit monitoring after data is stolen.

These steps are the minimum for responding to a data breach in a way that maintains relationships and salvages goodwill with customers. Companies should be prepared to fold the basic customer service elements into a more comprehensive plan that takes patients through the process of identifying if their information has been compromised to preventing any corresponding fraud.

TransUnion's Data Breach Services, which we have built by working directly with clients and consumers over several years, provides one model for how these response programs can work. Our three-step system includes a personal review of each patient's credit file to identify fraud, and the development of a personalized report and supporting educational materials for patients. Using TransUnion ID verification, hospitals and health systems can validate patient information at the point-of-service by comparing patient-reported data to TransUnion's extensive databases of consumer contact and financial information. This powerful solution identifies discrepancies in demographics, enables hospitals to correct patient information and detects potential fraud or medical identity theft. TransUnion provides templates and established processes each step of the way, which is particularly useful in the chaos that follows a major breach.

Perhaps most importantly, based on the survey findings, the service can be up and running within 48 hours.
With a growing number of privacy-sensitive consumers entering the healthcare market, and increasingly sophisticated hackers seeking to steal information, healthcare companies must have a proper plan in place to protect and recover data in a timely manner. Without a clear cybersecurity strategy, companies run the risk of losing valuable customers and experiencing severe reputational damages.

TransUnion's survey provides a broad framework for preventing these business and public relations disruptions. We are continuing to assess the success of healthcare companies in protecting and supporting consumers, and we're eager to develop the next generation of innovative approaches to keep pace with a challenging new environment.

Gerry McCarthy is the president of TransUnion Healthcare. He is responsible for the strategic direction of the healthcare business and expanding its footprint in the healthcare market overall. Gerry has more than 20 years of experience in healthcare information technologies.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.