Pharma industry touts cure for data security ills

Medical research often leads to unexpected breakthroughs in other peripheral areas.

Based on the success being enjoyed by a project developed among a handful of leading pharmacy industry players, some experts say that you can add enhanced data security to the long list of advancements attributable to the health care industry.

Founded in 2001, RxHub was the brainchild of three of the nation’s largest pharmacy benefits managers (PBMs) — companies responsible for handling the unseen legwork necessary to allow pharmacies to dole out prescriptions to eligible consumers, and for customers to employ their health care benefits to cover related expenses.

Those companies — AdvancePCS (since acquired by CVS-Caremark), Express Scripts, and Medco Health Solutions — were looking for a way to better facilitate the massive volumes of data transfer needed to match customers with their medical, insurance, and payment records to cut costs and eliminate potential mistakes.

In creating RxHub, a joint venture that serves as an electronic clearinghouse responsible for gathering the medical and benefits data needed to serve customers, people involved with the project claim that the pharmacy companies also pioneered an information-sharing model that other businesses may want to emulate to relieve their own data security headaches.

At its core, RxHub claims to be a universal communication framework that links health care providers, insurance companies, the PBMs, and local pharmacies for the purpose of sharing electronic records and prescription data.

One of the most attractive side benefits of the venture, backers claim, is that it in addition to streamlining that process, the effort has also helped the partners pilot a new manner in which to access and correlate sensitive information to protect the interests of the many businesses and customers they serve.

Rather than forcing any of the firms in the prescription drug food chain to create additional databases for the purpose of providing records to their various external partners, RxHub serves in a data transport role that mines information from all the sources in real time to process transactions, without ever aggregating the information itself.

Built around master data management software provided by vendor Initiate Systems, the RxHub infrastructure allows the involved parties to perform all the records validation work necessary for pharmacies to verify prescription and payment information in a matter of seconds, without demanding that anyone in the ecosystem create or retain any additional records.

In doing so, the system allows the companies to live up to the demands of regulations, including the Health Insurance Portability and Accountability Act (HIPAA), while protecting themselves from potential data leakage incidents, RxHub executives said.

“The idea was to create a hub for all of this sensitive data without ever creating a master database where the information itself would be stored; we’re more like FedEx, we look at the routing information, handle the package, and get it there reliably,” said JP Little, chief executive of RxHub.

“We’ve been very careful about how we architected these systems and our business itself from the get-go in terms of not wanting to retain any data,” he said. “This work was being done before we existed, but there was no hub; serving that role in the middle, the responsibility for security and controls remains with that various stakeholders, and the risk is lowered across the entire process.”

RxHub effectively specializes in real-time data mining, built on Initiate’s Enterprise Master Person Index (EMPI) technology.

When a patient requests a prescription at a pharmacy using the tools — which currently cover an estimated 135 million U.S. consumers — the transaction is pushed through RxHub, which in turn verifies the involved person’s information wherever it is stored by the various PBMs and health care providers involved.

Rather than creating a central record of all of that data, or storing any related information itself, the company merely delivers the relevant results regarding eligibility and payment details to the pharmacy, which can dole out the involved medicines and patient benefits. 

By eliminating the need to create additional databases of patient information throughout all the businesses involved, both the companies themselves and consumers covered by the system are less likely to become victimized by leakage events or attacks, proponents of the system say.

“A hacker would need to break into one of the PBMs or some other element of the overall prescribing system to get this data, we don’t actually have it,” Little said. “The idea is to eliminate the need to create additional databases; we access the data needed to carry out the transaction from all these different sources, but we never retain it; that’s the beauty of this type of an industry hub model.”

Officials with Initiate say that the distributed architecture approach being utilized by the pharmacy sector is catching on throughout a number of other areas within the health care industry, including some government projects.

Driven primarily by concerns around HIPAA and other regulations in the health care sector, company officials said that similar mandates in other markets such as the financial services space and even the law enforcement industry are driving interest from other types of organizations.

“With this type of data mining, companies are able to tie together separate systems in a real-time environment without putting themselves at risk of a data leakage event or an attack on the information,” said Scott Schumacher, chief scientist for Initiate.

“Companies can create centralized registries for these types of customer records that gather the data from source systems without ever disturbing it, or retaining anything that could be used to carry out fraud,” he said. “We believe that along with a number of other benefits to business, this approach also creates a more dynamic security model for data sharing, and we’re hearing from many different types of organizations today who have an interest in doing something similar.”

Schumacher said that Initiate typically competes for deals with IT industry giants IBM and Oracle, which have built similar systems for fostering secure information federation among business partners.

And some industry watchers agree that the strategy adopted by RxHub in the pharmacy business could appeal to other types of firms, in particular retailers, as they struggle with issues of data retention, protection, and regulatory compliance.

“This type of approach is already being used in the public sector, intelligence community, and in the financial services industry,” said Ray Wang, analyst at Forrester Research. “Whether it is tracking down suspects or identifying risk among credit bureaus, in effect, the idea is to find a quick match and link without the saving of data to ensure that no information is inappropriately saved, or can be leaked.”