By GREG TODD, CEO of Integrated Prescription Solutions Inc., a Costa Mesa-Calif.-based pharmacy benefit management company.
A lot of buzz phrases are thrown around in the insurance and technology industries. One of the most popular right now is "the cloud," but we all know that it is the continuation of an effort for centralized processing, the previous iteration of which was called "the application service provider" model.
The debate of the efficiency, safety and security of centralized computing versus decentralized computing will continue to rage on for decades, just like the debate over processing claims in house or through a third-party administrator will continue.
In the meantime, it is essential to recognize the information technology risks that exist in the infrastructure that we have today and to drive down to the core offering that pharmacy benefit management companies bring to the market so we can better understand why information technology risk is so important to understand.
Pharmacy benefit managers fundamentally exist to minimize or eliminate unauthorized drugs, to improve safety and effectiveness with point-of-sale safety reviews, to reduce the cost of drugs through eligibility and formulary management and to facilitate adjuster oversight through customized communications and notifications. While all of the above functions can be performed manually in a paper-based system, we can agree that efficiency can reach an entirely different level in a paperless system.
So the primary question then begs itself, what problems are we as an industry trying to solve with technology? The answers are rather simple. We're trying to eliminate unauthorized drugs by preventing people from filling drug prescriptions for drugs they're not supposed to have, and eliminate early refills of approved drugs through a real time network and integration with pharmacies.
We're trying to dramatically reduce first-fill fraud using electronically distributed drug cards with defined formularies allowing overrides for specific drugs, instead of a paper voucher that allows for significant first-fill fraud.
Finally, we're all working to redefine medical care appropriateness by alerting adjusters to the types of items being prescribed so they can encourage physicians to prescribe high quality, lower cost therapeutic equivalent generics through automated tools.
As you can probably tell, all of these problems and their subsequent solutions require a significant amount of connectivity and data management. Web portals and instant data transactions for real time overrides and formularies provide unprecedented service and cost protections, but they expose pharmacy benefit managers to threats that were not significant in paper-based systems of 10 years ago. As a byproduct, our organizations carry a significant amount of information technology risk related to the security of our databases and the transmission of data to our vendors, partners and clients.
We have to guard our companies, and more importantly our companies' data, from threats both internal and external, not only because we care about our customers and their information, but also because we must comply with state and federal regulations such as HIPAA.
The risks are challenging and require vigilance and continual improvement because they come from threats both external and internal.
These threats can start with specifically targeted external threats, like a brute force external attack (where an attacker tries to gain access by trying millions of combinations of usernames and passwords through automated scripts) or a distributed denial of service attack (where an attacker uses thousands of compromised computers to simultaneously overwhelm a company's connectivity and server capacity).
They can also extend to nontargeted external threats like viruses and Trojans that can inadvertently be introduced into a network through user behavior and error and can cause significant loss of data (reference any one of a number of data breaches in recent months, including a recent case involving Citigroup).
One other class of threats involves internally generated threats from malicious or careless employees and contractors with access to the data and private networks. Aside from all of the above, disaster planning must take place to guard against disk failure, server failure, network failure and weather, among other things.
All of these risks can be quite overwhelming for any company, but as pharmacy benefit managers, we must approach these information technology risks with an aggressive strategy to mitigate them to minimal levels. That starts with both internal and external systems that sweep and analyze data traffic for patterns of attack and malicious behavior that could be taking place.
Internal systems can be set up to receive a copy of all communication traffic internally and can then ship that information to a centralized security center where security experts review that traffic for potential problems.
Commonly called intrusion detection systems, these devices can actually shut off attacks as they occur through integration with your corporate firewall. A couple of solutions that accomplish this are Alert Logic and Qualys.
External systems are just as important to implement into a comprehensive risk mitigation strategy. External security services like Sentinel from White Hat Security run periodic security sweeps on all of your public facing web applications and sites and test for important vulnerabilities like cross-site scripting and structured query language injection attacks (attacks that can cause significant issues for you and your customers).
Risk mitigation continues with proper endpoint control to prevent users from connecting unauthorized devices, like USB drives, to the network and introducing viruses or removing data from the network.
Some solutions that help with end point control are Sophos Ltd., as well as DeviceLock. Prevention efforts also extend to the network and server level with proper firewall and data prevention policies, data segmentation and external testing of web portals to check for unauthorized user permission escalation (where a user logs in with a legitimate account, but uses that account to achieve security levels and data access that they were not intended to have).
One of the most obvious areas of risk is email. As pervasive as email is, it can be a huge threat both to external threats, such as viruses or phishing, and to secure data, such as Social Security numbers. Add government communication archives to that mix and you have a huge potential liability.
As can be expected, Google offers a comprehensive suite of solutions to help with compliance, security, virus protection and message encryption. Their combined suite tackles the major hurdles of email security compliance whether you host your email on your own servers or through their Google Apps for Business platform. Another platform that is commonly used for secure message delivery in the insurance marketplace is ZixMail by ZixCorp.
Lastly, prevention can take place early on with proper software development life cycle practices that enable the development team to test for potential data security situations and to author code to prevent it in the first place. The above solutions, especially the external site testing systems like White Hat's Sentinel, can greatly assist programmers in identifying vulnerabilities and retesting the site as new code is uploaded, but a good development team will already have that type of vulnerability assessment built-in to their testing and development plan. As in most cases, there is no substitute for solid engineering on the front end.
Pharmacy benefit managers can provide world class, cloud-based, pharmacy benefit management as service solutions to the marketplace, and deliver significant cost savings and safety improvements, but they must continually keep in mind the risks that are carried with automation, centralized storage and web-based service delivery.
By taking a comprehensive and aggressive approach to data security and integrity, and creating new systems, we can all deliver on the promise of today's technology while protecting our client and patient data.
September 15, 2011
Copyright 2011© LRP Publications