Skip to main content

Note: This piece was originally published over the weekend in our Sunday newsletter. Want content like this delivered to your inbox before it hits our blog? Subscribe here.

The Big Story: CVS Health database leak left 1B user records exposed online

Another week, another huge stack of patient information left on a virtual desk for the unscrupulous to rummage through. FierceHealthcare reported that back in March, CVS – through a third-party vendor – left customer data exposed to the tune of one billion search records. As in, not password protected. That’s right, the database had no form of authentication in place to prevent unauthorized entry. The situation was quickly controlled, but it begs the question to healthcare leaders: “How safe is the data you’re entrusting to vendors?”

Our Take

You’re sitting on a gold mine of information, and companies are coming to you with great opportunities for partnerships or you need someone to help manage it all. You have the chance to advance healthcare AND differentiate the care you provide your patients.

What’s not to love?

Maybe nothing. Hopefully nothing. But maybe a lot. So be careful.

With all the growth and excitement taking place around healthcare’s digital front door, a dose of caution is warranted. Because there’s the other side – the Upside Down, for you Stranger Things fans: While more data creates more value for patients, providers and innovators, in the Upside Down, the value goes to the hackers and scammers.

How do healthcare providers run that risk-benefit analysis? You’re certainly not going to build these digital tools yourself, so, how do you pick the right partner and set appropriate expectations with them and your patients? And how do you explain you’re winding down a project if things don’t work out? Finally, do you play a role in educating patients about health tech and navigating the myriad consumer health tools available to them? (Because really, what is Dr. B doing with all that info it collected?)

Here’s our advice.

  1. Create a governance structure in your organization that provides protection from abuse for all stakeholders – including patients, clinicians and staff. Involve everyone in that process: compliance, legal, IT, communications, marketing, operations and clinical. These guardrails will be invaluable as you evaluate any given project.
  2. Ask why you’re considering adopting a technology. Answer the question, “What are we giving up or putting at risk for the sake of convenience?” Run the risk-benefit analysis and make sure there’s a compelling case for the benefits, no matter how shiny the object is.
  3. Consider whether you can achieve the stated goal. Can you do what the end user wants (most likely either your patients or doctors and nurses)? Is partial success possible and acceptable, or is this an all-or-nothing thing? Of course, you can’t really figure this out unless you…
  4. …Talk to the consumer. Find out the value to them and ask about their risk tolerance.
  5. Be open about your decision. If you do move forward, make very clear to the consumer what you’re doing when they sign up. Don’t give them the typical 17 pages of small print terms of service. This is their health, their life and their privacy at stake. Be clear.
  6. Understand from the get-go where the offramps are, whether you achieve success or it doesn’t work out. Have an exit strategy. And then, communicate that exit strategy upfront to all stakeholders. Don’t wait until the project ends – especially if it ends because it didn’t work. People will ask what you’re doing with their data. Answer those questions before you start, not when you decide to quit.

For more on how to prepare for a data breach, check out this recent post.

Questions about your digital footprint? We can help.