Insurance Exchanges: Protecting DataApplying Lessons Learned in Online Banking
State health insurance exchanges now in the early formative stages should consider security practices widely used in online banking, says Bryce Williams, CEO at Extend Health, a commercial online health insurance exchange.
Extend Health's exchange, which serves retirees at major employers, is similar in structure to the state-run insurance exchanges called for under federal healthcare reform. The new state exchanges to be launched in 2014 will be one-stop marketplaces enabling consumers to shop online and enroll in private health plans offered by multiple insurers.
Like financial institutions that offer online banking, Extend Health requires consumers using its services to authenticate their identities by verifying a variety of personal data that can be confirmed from other sources. Likewise, the insurance exchanges will "need to treat authentication very seriously," Williams says in an interview with HealthcareInfoSecurity's Marianne Kolbasuk McGee (transcript below). "There might be some consumer push-back on asking too much information to authenticate, but ... most consumers don't mind [giving] additional information so that they know their information is protected and secure."
In Extend Health's communication with consumers, "We use secure socket layer technology," Williams says. "We're using the same security and data encryption that you see across the banking industry."
In the interview, Williams describes:
- Extend Health's business model and what state insurance exchanges can learn from the company's experience;
- How the company securely communicates with dozens of insurance carriers;
- Why the company records and encrypts phone conversations with consumers.
Before joining Extend Health, Williams was senior vice president of marketing and business development at eHealth, the parent of eHealth Insurance Services. He also served as director of development for OnCare, an oncology physician practice management company, and vice president and general counsel at Advance Paradigm, which was sold to Caremark Inc. He also was a corporate transactions attorney at Jones, Day, Reavis and Pogue. Extend Health, which was founded in 2004, was acquired in May by employee benefits and talent management firm TowersWatson.
MARIANNE KOLBASUK MCGEE: Please explain how Extend Health Exchange works.
BRYCE WILLIAMS: Extend Health is a company we founded eight years ago to help employers get more value for their workers in healthcare. It's a pretty simple premise. Starting six years ago, we constructed the first private exchange for the retirees of the Chrysler Corporation. What happens on our exchange is instead of an employer providing a one-size-fits-all group plan, they raise tax-free dollars and deliver them via what's called a HRA, or a health reimbursement arrangement. Then each individual recipient gets to shop, choose and enroll in the plan of their selection using the help of our licensed agents from one of our call centers. So they have complete personalization of the plan to their unique medical conditions, to what medications they take, to where they live, to whether or not they own a second home. It turns out there is a whole lot of variability that goes into what type of Medicare plan you should have, and we help employers do that. And the benefits to the employers are they get to move to a more defined method of funding their future retirees. ...
The Medicare exchange is really taking hold now across corporate America; 41 of the Fortune 500 now use and deploy the Medicare exchange to take care of their post-65 retiree obligations.
Security, Privacy Challenges
MCGEE: What are Extend Health's biggest data security, patient privacy and HIPAA-related challenges as a commercial health insurance exchange, and how are you tackling them?
WILLIAMS: There are a whole lot of regulatory controls on all of us in healthcare. ... At the very top of the spectrum, where we reside, which is in the arraying or delivering of benefits, there's certainly a massive amount of regulation, not the least of which is the new Affordable Care Act. ... Doctors and hospitals [have] a tremendous amount of regulation as well.
Up and down the spectrum of healthcare, everybody has taken steps to try to provide a higher level of security. For us, it's 128-bit secure socket layer security. We encrypt all of our data, not only in our terminals that our agents use but also on our servers. That way, when we transmit information out to our carrier partners, including the actual enrollment of a senior in a Medicare plan, that data is protected. We've really tried to bring everything that HIPAA commanded into our data security architecture and make sure it's fully implemented on our platform.
So far we have been very successful in making sure that we maintain data integrity of our information, of our retirees and of our clients. ... I think everybody takes it very seriously. ... And so if you're a vendor in this space, it's a very major investment but you just have to make it.
Securing Patient Data
MCGEE: When consumers shop for insurance policies at Extend Health and enter health information about themselves onto your site, how do you protect privacy, and how do you secure data as patients are connected with the representatives on the back-end who assist them in their coverage decisions?
WILLIAMS: There are a couple of ways of doing that. As I mentioned to you, we do use secure socket layer technology, which is the same thing that people use when they're on their online banking sites. ... Consumers on our site should be secure in the notion that as they go to enter information, it's as if they're on one of their bank sites. ...
What happens with transmitting the data and taking of information is we have our systems controlled for that. We built our own custom CRM [customer relationship management] tool so that we're not using some off-the-shelf tool that perhaps has some data flaws exposed through other applications. We actually built our own, so we're then able to control much more highly for the information flow.
The last line of defense is not only the training of our agents but also the fact that they know and our clients know we record all calls. Last year we had over 2 million minutes of recorded calls, and we have all of those calls stored in WAV files broken down by call and even by segment within calls. So there's the ability to pull information and find out what happened and what was conveyed. All of those WAV files are also encrypted and protected. We've thought about this in terms of multiple layers. ...
MCGEE: How do you exchange data with the various insurance carriers that offer their policies to consumers?
WILLIAMS: ... Typically what we do is we have a secure pipeline into each carrier so that we can connect directly. ... It's not only a security thing, but also a speed issue. Our ability to use a web service to [connect to] each one of these carriers of ours allows us to communicate directly, and that way there are no files being transmitted via e-mail. There are no files being transmitted over other less secure sources.
In each instance across our 85 carriers, we just made the investment to go ahead and build a direct web service. In doing so, that allows us much more control, not only over the security but also over the whole customer experience, the speed of information flowing. Then that ties into our back-office systems that start to queue up advising customers where their order is. Where are my cards? When might I get them? How is this going to work? We try to think about it not only from a security perspective, but also a total customer experience perspective. ... We ... [have] 85 web-service connections to our carriers.
MCGEE: How do you authenticate users, such as patients who enter their data and then return to your site at a later time?
WILLIAMS: We use a lot of pieces of information. We don't like to just use anybody's personal information. We're not comfortable just using e-mails. What we try to do is pull in three or four different data sources, like how a bank would require you to do to change your password. These are all pieces of data that are well known to each recipient. But because we get an employer file, we actually have a lot of basic information on the actual retiree, so then we're able to match whatever's entered against that file.
Then that allows us to have even more control to make sure that no one's trying to come and log in and authenticate as someone else. It would be really difficult for someone to come in and use three or four pieces of customized information that we have from your employer - or your former employer if you're a retiree - and then try to somehow trick the system and get in without having authenticated login information. So far, that has worked out great. I'm not familiar with a single situation where someone was able to come in and pretend to be someone else and authenticate through our system and get in and see information. We don't have an instance of that as of this time. But we do ask for quite a bit of information because ... we believe that health information is so important and so private that we do want to make sure that our authentication system is very robust. We do require several pieces of information to be entered for you to get in and authenticate. .... It's an extra layer but we work with some very large clients in the Fortune 500 and it's what they demand of us. ...
Health Insurance Exchanges
MCGEE: As the states launch their health insurance exchange as part of healthcare reform, what do you think the biggest data security and patient privacy challenges will be?
WILLIAMS: One of the biggest challenges for the state exchanges ... is going to be around what happens to the people who are moving in and out of different systems. What if I do not make enough money in the first half of the year and I need to be on Medicaid, but then I pick up a part-time job and I start to make enough money where maybe I don't qualify for Medicaid and I need to get on one of the exchange plans that are available? Then what happens three or four months into that when I actually move over and I get a full-time job or I'm on some employer's health plan? I think the real challenge for the state exchange authorities is keeping track of where everyone is and what do they qualify for and what are they eligible for, because that's going to guide whether or not they qualify for a state or federal subsidy or a state program like Medicaid.
I know a lot of people get obsessed about data security and other things as it relates to the state exchanges, and that's going to be very important. But I think the biggest challenge is just going to be tracking and following people as they [have] changes in their work profile and what that means to what plan they currently qualify for and how long.
Advice for Other Exchanges
MCGEE: Any advice or tips related to data security and privacy that you can offer to the state health insurance exchanges that are just starting up?
WILLIAMS: Our best advice to the state health exchange authorities would be to acknowledge the notion that it's okay to ask for a whole lot of information to authenticate, because you're not only dealing with someone's Social Security number, phone number or their e-mail address. You're actually dealing with their health conditions. You're dealing with their health status, which in theory they will have to put in the system as they go to apply. Even though these plans are guaranteed-issue, the carriers and are going to want to know what's the current health status of the applicant so that ... they can get them into better wellness and disease management programs and other things.
Because you're taking that information, I think you need to treat authentication very seriously. I think while there may be some consumer push-back on asking for too much information to authenticate, our recommendation is that it's okay. Most of the consumers that we survey don't mind actually having to put in additional information so that they know that their information is protected and secure.