Change Healthcare gives payers and providers the keys to cloud security

Change Healthcare is providing healthcare leaders the keys to cloud security with Change Healthcare Security Management, which includes a “Bring Your Own Key” (BYOK) service now offered as part of the company’s cloud-based HealthQx value-based care analytics suite.

“Hospitals, payers, and providers are under constant attack from a global network of cybercriminals using advanced and evasive techniques to penetrate networks, steal data, extort healthcare organizations, and capitalize on the personal health information of patients,” said Haddon Bennett, CISO at Change Healthcare.

“It is of paramount importance that sensitive data be protected by proper encryption that is fully controlled by the payer or provider, so they can mitigate both insider and external threats on their own terms. This is a significant advancement that reduces the risk profile for all healthcare stakeholders, including health plan members and patients.”

Change Healthcare HealthQx is an episode analytics suite that helps payers and providers accelerate value-based payment innovation, and uses the Microsoft Azure cloud.

HealthQx collects, analyzes, and reports claims and other information to help healthcare stakeholders design, develop, scale, and improve their value-based care programs.

As part of Change Healthcare’s approach to enabling payers and providers to have control over their cybersecurity profile, customers using the HealthQx value-based care analytics suite can now make security changes without involvement by Change Healthcare personnel, and have their cloud-based systems re-encrypted and operational without service interruptions.

Full control is in the customer’s hands, including audit and monitoring checks that flag changes. This capability is in contrast to traditional key management, which is error-prone because it requires planning, training, communication, and orchestration with a team of people manually working across multiple organizations.

Prior to release of this Change Healthcare Security Management BYOK service, cloud encryption keys in healthcare were the responsibility of solution vendors to manage.

Providers and payers had to contact their vendors to respond to requirements, including routine key updates, revocation of employee clearances, perceived threats, or actual attacks and breaches. This manual process costs payers and providers valuable time and can have an impact on data being compromised or remaining secured.

This BYOK capability in the Change Healthcare Security Management suite lets payers and providers create, update, or revoke encryption keys on demand, enabling responses when potential or active threats to data in the cloud are anticipated or encountered.

Payers and providers can invoke a virtual “kill switch” that stops access to protected data and services and can re-enable access within minutes using a new encryption key blocking active threats.

How the HealthQx suite controls cybersecurity using the BYOK capability provided by Change Healthcare Security Management:

  • The customer generates 2048-, 3072-, or 4096-bit encrypted public and private key sets. These key sets are protected by a master password unknown to anyone outside of the customer’s organization, including Change Healthcare. They can be changed at any time, on demand, by the customer, allowing them to remain in control of their cybersecurity.
  • Without further human intervention, the keys and master password are encrypted, cut into multiple parts, and transmitted over multiple secure channels to the Change Healthcare Intelligent Healthcare Network, where they’re decrypted, reassembled, and added to the customer’s key vault.
  • The new key pair is rotated into the customer’s infrastructure within the Change Healthcare Intelligent Healthcare Platform, leveraging the Microsoft Azure Data Lake, Microsoft Azure SQL Data Warehouse, Microsoft Azure SQL Database, ETL VM disk, SFTP VM disk, and any other storage areas — anywhere the customer’s data within the HealthQx suite is in motion or at rest.
  • Customers can revoke access to data using a virtual kill switch. To do so, two of the customer’s authorized operators must issue a revocation order, which can be performed from anywhere in the world. No involvement of Change Healthcare personnel is required. When the order is issued, their system is locked down and no longer available to anyone.

All of these processes are automated and invisible to anyone appropriately authorized to use the HealthQx suite within the Change Healthcare Intelligent Healthcare Network, and encompasses all current operations: jobs, applications, and user interfaces. Now the power to control access and security with agility is entirely in the customer’s hands.

“Transparent data encryption with Bring Your Own Key capabilities helps organizations better protect sensitive data and meet regulatory and industry-specific compliance obligations which require specific key management controls,” said Lindsey Allen, Partner Group Program Manager, Azure SQL Database R&D at Microsoft.

“We integrated this technology in Azure SQL Database so that we could help ensure that the sensitive data of users was protected in a compliant manner.”