Insurance companies don't get it, yet. There is a lot to learn about Aetna's CarePass failure.

I was very excited to see the rollout of Aetna's Carepass at the mHealth Summit several years ago.  I seem to be a great idea, however it never got any real traction.  I spoke to some of the people on the team and there was a lot of excitement.  I envisioned a platform to connect to their providers, patients and EHR but that never happen.  Like so many health platforms on the market, they took the safe easy way out,  providing support to patient facing apps,  WHO CARES,  let me reiterate WHO CARES!

Some of these supported apps are great, but it is proven that most are downloaded used once or twice and abandoned.  The only way to get patient to really use apps is for doctors to prescribe them and then have a facility to transmit and store the patient provided data to the provider's EHR.  However, that is still somewhat of a dream, which there is yet to be a standard to support.

In order for a platform to be successful it must be connected to the healthcare eco-system, that is, the provider's EHRs.  However not happening, most of the EHR cannot communicate with themselves.  This is where Aetna had a chance to make things different, they could have demanded interoperability and communication with patient facing apps.  Yes, there are a lot of issues around this but I believe they were well positioned as a payor to bring about change.

One of the hurdles that I did see with Carepass is getting other Payers or providers outside of the Aetna network to use their platform.  I don't think that this going to happen for a while.  Which is a shame,  we need healthcare organization to work together if we are going to get true interoperability.   We also need companies such as Aetna to keep innovating pushing the old school status quo.

Change will come, it has to.

Jeff Brandt
www.dekaG.com

The passwords have met their match

Yesterday, it was announced that a Russian Crime syndicate has stolen 1.2 billion identities.  As of the next day it is was still not known where or who’s IDs were stolen.  The media is suggesting that we change all usernames and passwords.  I like many, have at least one hundred usernames and password and this would be no small feat to change them and most likely won't.  Many times it is difficult or impossible to change usernames.

One of the primary issues leading to all of these cyber attacks is that millions of places that passwords are stored.  Each website keeps your username and password on their systems.  There are systems (OAuth) that allow sites like Google and Facebook to share credentials with other sites to allow access to their systems without setting up new credentials, however that means you have to trust sites like Facebook to store your credentials.  Since these companies make their money from selling information via advertising, well you get it.

We must ask why these passwords were not encrypted? It was poor design and oversight.  Data at rest is always vulnerable; it is the “edge” that gets hacked, i.e., data can be sent over a secure links, such as SSL but when it is moved or temporarily stored during processing it vulnerable and if the data is not encrypted when stored, it remains vulnerable to thief.  Credit Card data before PCI compliance rules had the same issues.  Compliance, however isn’t a law such as HIPAA, but maybe it is time for legislation for all password data.

There needs to be a better system for identification and authorization.  Usernames and passwords have met their match, the well funded, sophisticated hacker, the new cyber criminal.

Jeff Brandt

www.deKaG.com