Software startup Apervita has rolled an advanced encryption feature for health plan and provider data that could slow down hackers and prevent data breaches.
The cloud-based software firm said the new security feature, called deep encryption, encrypts healthcare data at the field level for the company's health plan and provider customers.
The encryption security technology works like end-to-end encrypted messaging, which scrambles data as they move across the internet, revealing the information only to the sender and the recipient.
Michael Oltman, Apervita’s chief technology officer, said the deep encryption security technology is a "game changer" for healthcare organizations.
"This is above and beyond what regulators are requiring and above and beyond what most companies can offer," he said.
The feature extends the level of security protection beyond what is currently mandated by the Health Insurance Portability and Accountability Act requirements as well as compliance standards set out by HITRUST, a security standards development organization.
"As a healthcare platform that works with over 2,500 U.S. hospitals, security is our top priority. Deep encryption not only protects data far beyond typical data security requirements, but it also returns control of the data to our customers," Oltman said.
Healthcare security breaches are on the rise, with over 41 million patient records breached in 2019, according to compliance analytics firm Protenus. A single hacking incident in 2019 affected close to 21 million records.
The financial implications of such breaches are enormous, with estimates as high as $429 per breached record.
The current COVID-19 pandemic raises the stakes as cybercriminals target healthcare organizations and seek to capitalize on international concern over the spread of the coronavirus. Hackers have recently tried to break into the World Health Organization and the U.S. Department of Health and Human Services, along with other public health agencies.
Apervita started in 2012 as a developer of a collaboration platform for value-based healthcare. The startup focuses its efforts on helping hospitals and insurers share data and considers data security and privacy to be mission-critical to its business.
The company is led by Kevin Hutchinson, founding CEO and former president of Surescripts, a health IT company that supports electronic prescriptions. Surescripts built an infrastructure connecting pharmaceutical companies, pharmacy benefit managers, physicians' offices, hospitals, and laboratories.
In the same vein, Apervita has focused on building an infrastructure to enable physician practices, hospitals and health plans to collaboratively track performance measures against value-based contracts.
With the security threats facing healthcare and increasing data breaches, Apervita executives wanted to build data security that went beyond the "status quo" and offers a competitive edge, Oltman said.
The company worked with database company MongoDB to build its security feature based on the company's field-level encryption technology.
Apervita executives said the technology it built adds multiple layers to MongoDB's feature and provides customers with a "Bring-Your-Own-Key" capability, which is a cloud encryption tool. That gives customers full control and ownership of their data on a per customer and per data set level, the company said.
The security encrypts each data piece before it enters the database—for example, data fields could be a patient's first name or city of residence, the company said.
The encryption technology Apervita built adds layers of security that currently doesn't exist in most healthcare organizations, said healthcare IT consultant Michael Semel, president of Semel Consulting. He compared the security to a safe deposit box.
"The hospital putting data on the Apervita platform maintains the key to their own data. A hacker would have to get both keys—the key from Apervita and the key from the end-user to process and decrypt the data. It creates quicksand for the hackers," he said.
The technology also helps prevent internal data breaches when employees misuse authorized access to steal or damage patient data.
If organizations use traditional methods to encrypt protected health information, database administrators and third-party partners can still view decrypted patient data such as a patient's name, date of birth and medical diagnosis.
Apervita's technology prevents administrators from viewing these data but provides access to the database for authorized users who have a security key.
Additionally, Apervita’s encryption technology meets requirements of the Office of the National Coordinator of Health IT's recent information blocking final rule, which calls for granular, field-level privacy to support data segmentation while still allowing data to be accessible, the company said.