How Healthcare & Retail Initiatives Impact Security and Compliance

Kurt Hagerman, Chief Information Security Officer, Armor
Gerry Miller, Founder & Chief Technology Officer, Cloudticity

Today’s healthcare industry is filled with innovative products, procedures and services designed to meet the triple aim of providing a better patient experience, higher quality of care and lower costs. Coincidentally, the same could likely be said about the retail industry: innovative products, business model procedures and ideas that improve the customer experience to increase loyalty and retention.

But how do the two complement one another? Aside from buying cold medicine at a grocery store, there aren’t many ways these two industries align for a greater purpose. However, as healthcare costs continue to rise, recent acquisitions and announcements indicate a larger movement is afoot to reform the industry by analyzing retail buying patterns.

The Future of Healthcare and Retail

It’s been said before that we don’t have a healthcare industry, we have “sick care” industry – driving the cost of healthcare expenses and insurance claims through the roof. More than 50% of healthcare dollars are spent on only 5% of the population, and three-fourths are spent on chronic lifestyle illnesses, such as diabetes and heart disease. Ironically, the sicker their patients are the more money healthcare organizations make. So, what’s the solution to this inefficient system?

Recent partnerships, such as CVS and Aetna joining forces, as well as announcements from Amazon, shine light on what the future of actual healthcare might look like. As insurance companies realize keeping people healthier equals fewer claims, the mindset and business approach is shifting to healthcare and retail entities banding together to influence and empower population health.

With most companies being required by law to provide health coverage for every employee, insurance agencies are investing in more resources, such as big data, to help their members stay healthier and impact how dollars are spent.

Privacy and Security and Compliance – Oh, My!

Of course, no new venture is without concerns. These are two major industries with their own sets of customer and patient data, compliance regulations and security measures, and many have already addressed the issue of privacy (or lack thereof) these partnerships bring.

It’s no secret that privacy for retail shoppers is almost a thing of the past these days. It’s difficult to even log on to social media without seeing an ad for the store you were browsing on the web two days ago. With every buying and shopping decision being tracked, these initiatives beg questions such as, “What is this company going to do with my purchasing trends? Is it so far-fetched to think Amazon will make product suggestions based on my health records? Will Aetna raise my premium based on my recent CVS purchases?”

However, just as these conversations are being had, so should the ones about compliance and security, especially as these data become more and more intertwined. Typically, retailers are charged with securing Card Holder Data (CHD), and healthcare companies focus on protecting Private Healthcare Information (PHI). These two data types have very different compliance requirements, one being explicitly prescriptive (PCI) and the other a loose set of guidelines (HIPAA). Both, however, are addressed by several security frameworks, such as the HITRUST CSF.

Health records are already some of the most sought out items for cybercriminals on the dark web, selling for roughly $20-50 per record, whereas credit card numbers are sold for approximately $7, according to the Dell SecureWorks Underground Hacker Markets 2016 Annual report. Creating an avenue for threat actors to get their hands on both CHD and PHI in one-fell-swoop calls for stricter security and compliance standards. However, there’s a recent and interesting shift in HITRUST compliance, incorporating both CHD and PHI (PCI + HIPAA), indicating the security and compliance industry is already anticipating the need to comply with multiple regulatory frameworks.

What to Consider

Businesses considering engaging in and planning for the healthcare-meets-retail movement need to truly evaluate what security measures are in place as they become a data mecca. First and foremost, these organizations will need to re-think their security strategy to consider all types of sensitive information being managed.

Rather than applying specific compliance controls to certain types of data, healthcare organizations and retail companies needs to have a single, robust information security program that addresses all threats.

Consider not merging all data sets, as doing so makes the resulting information even more valuable. This way all data can be operated upon anonymously, and only extremely critical information undergoes extra scrutiny. In addition, by investing in compliance frameworks with a meaningful business process behind them, organizations will be more prepared than simply trying to check compliance boxes.

We are witnessing the beginning stages of what’s sure to be a new wave of initiatives to address rising healthcare costs and inefficiencies. These monitory and perhaps, at times, incentivizing partnerships offer a multitude of benefits, but are not without their concerns. Ensuring compliance standards are met and security controls are in place will better harmonize the efforts to refine the growing ecosystem between retail and the healthcare industry.

For more information on securing healthcare data and meeting compliance standards, check out our offerings and visit Armor Partner Cloudticity.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals