Corporate Behemoths in Healthcare: Will the Patient Win?

The past several weeks have been abuzz with the mergers and acquisitions in the healthcare arena. CVS has purchased Aetna for a cool 69 billion dollars and went through the regulatory process with flying colors. Amazon (on their quest for world domination) has teamed up with Warren Buffett, CEO of Berkshire Hathaway and financial powerhouse J.P. Morgan to use their resources, influence and power to, according to Buffett, “tackle healthcare costs in our nation.” Buffet also said that because the U.S., at 18% of our gross domestic product, the U.S. is at a competitive disadvantage, at 3.3 trillion dollars annually. He believes the private sector can handle healthcare better than the government.

Albertson’s, a grocery company, is ready to acquire retail pharmacy giant Rite Aid. And now, Cigna, the insurance behemoth, is buying Express Scripts in a deal for upwards of 50 billion. Software giant Apple is dipping their toe into employee health, while things are starting to rumble at Wal-Mart, the retail monster.

After all of that information, you need a breather. But will a disruption by these companies be the thing that makes healthcare better in the U.S.?

Yet, as a patient advocate and caregiver supporter, my main concern is this: Will all of this be a win for patients, caregivers and families? You know – the healthcare customers?

While the shake-up in healthcare is oh-so-long overdue, is the combination of behemoths the right way?

First, this healthcare shake-up won’t be the last of the behemoths to combine. I would be willing to bet on that. We have yet to hear from the likes of Microsoft, Walgreens, Google or any of the Generals (Electric, Motors, Mills). What about other insurers? Where is Humana or United Healthcare in this game?

Many companies will follow suit. It’s just a matter of time. I liken it to the most popular girl in high school getting into a relationship with the most popular boy and becoming a force to be reckoned with. Everyone will see the trend, its benefits and potential, and jump into it. Sorry for the high school analogy.

The point is everyone sees that it is time for change in healthcare.

So what’s in it for patients/customers?

Something we must question is this: Are these corporations in it for the billions of dollars that healthcare is worth or do they really want better conditions, cost and efficiency for patients? Will the combination of all these behemoths reach past their employees and meet the needs of all patients in our nation? What are their motives?

My mission is to empower patients and caregivers to navigate healthcare confidently and correctly, to save them and all parties involved time, money and frustration. I show them that they have rights and responsibilities in their Healthcare journey and must take a strong and active role in their care. Patients are the lifeblood of the healthcare system.

None of these behemoth combinations will be successful without patient/customer buy-in. They’d better put all of their goals into a nice and helpful package for patients so they feel supported and empowered. If these corporations can show how the patient will be helped and how their alliances can save money for all parties involved, they should have no trouble in the regulatory processes they face.

But I implore all of you behemoths… DO SOMETHING.

Do something for the 64% of Americans who avoid getting care because they are afraid of the costs.

Do something for the working poor who make too much for Medicaid and not enough to afford skyrocketing healthcare premiums.

Do something that shows how healthcare can actually be affordable and where service prices do not have to be excessive.

Do something to empower patients and establish real healthcare cost transparency.

Do something about actual care and system processes to show that it doesn’t have to be as difficult or time-consuming as it is currently.

You behemoths have the power to change healthcare for the better for the foreseeable future and possibly, forever. Please don’t look down from your Ivory Towers upon us mere mortals and pity us or hope for the best. Do something.

Make it a win for patients, and we all will win.

Posted in Uncategorized | Tagged , , , , | Comments Off on Corporate Behemoths in Healthcare: Will the Patient Win?

Healthcare Risk Assessment


The purpose of a Risk Assessment is to identify threats and vulnerabilities and develop a plan to mitigate the risks identified within the assessment. Like all processes, we can make it easy or extremely complicated and difficult. Planning is the key.

C-I-A Triad

The C-I-A triad consists of three elements: Confidentiality, Integrity and Availability of data and data systems.

Confidentiality simply means controlling access to those who have a legitimate need to know. Integrity is ensuring that the data hasn’t been altered; and Availability means the data can be accessed and used by those who need to access the data.

This is a relatively simple concept that has far-reaching impact in the world of Healthcare and HIPAA.

A Risk Assessment will help administrators and compliance personnel identify risks to their medical practices before they become a problem.

An annual Risk Analysis is required by the Department of Health and Human Services.

Risk Analysis and the Security Rule

The Department of Health and Human Services through its lower level agencies requires an annual Risk Assessment. This Risk Assessment is based on Special Publication 800-66, by the National Institute of Standards and Technology, which provides instructions for conducting a Risk Analysis as defined by the HIPAA Security Rule.

The outcome of the Risk Analysis is critical to discovering and mitigating actual and potential vulnerabilities from your information systems and workflow practices.

Failure to comply may cost your business money due to fines and penalties.

Risk Analysis Process

Like anything else conducting a Risk Analysis is a process and your first one can make it seem like an overwhelming task. Let’s tame this beast.

The first step is to understand the basic information and definitions regarding conducting a Risk Assessment.


Have you heard the old joke about how do you eat an elephant? Answer: One bite at a time.

This punch line could have been expressly written for conducting risk assessments.

First, we need to know the jargon used in the process. We need to develop a baseline for understanding what we are going to do, how we do it, and finally what are we going to do with it.


NIST SP 800-33 defines vulnerability as a… ” flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system security policy.”

No system is without vulnerabilities. Vulnerabilities arise out of coding errors, changes to procedures, system or software updates, and changes of threats over time. The analyst must be aware of evolving threats and vulnerabilities, while actively working to resolve currently defines problems.

This process never ends.


A threat is “the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

A vulnerability isn’t necessarily an issue until there is a threat to exploit the vulnerability. Common natural threats are fires, floods, or tornados. Human threats are computer hacks, careless control of ePHI, or inadvertent data exposure. Environmental threats are things like power failures.


Risk is defined by the presence of a vulnerability that can be exploited by an appropriate threat. You can’t have one without the other.

The level of risk is determined by the expected level of damage that could result from the vulnerability being exploited combined with the likelihood of the vulnerability being exploited.

Risk = Severity of potential damage + Likelihood of the Threat

Elements of a Risk Assessment

By breaking the Risk Assessment process into smaller, more manageable pieces, we can complete our task quickly and efficiently. Well at least efficiently.


The Scope of a Risk Analysis in an understanding of what the analyst is attempting to determine. Different industries have difference requirements so the Analyst must be up to date on their processes and procedures.

In the scope, the analyst and the business entity clearly define the goals of the project. They determine how to accomplish those goals, and how the required data can be gathered based during the Risk Management process.

Data Collection

Care must be taken to not compromise ePHI during this data collection process. Part of the data collecting process refers to how protected data is stored and should be treated like any other data point.

Identify Potential Threats and Vulnerabilities

As each threat or vulnerability is identified, it must be recorded for evaluation. This evaluation should include, level of risk should the threat or vulnerability be exploited.

The analyst can only mitigate risks that are known. This is why it is critical that the Risk Assessment Team have access to the data.

Assess Current Security and Potential Measures

All identified risks, threats and vulnerabilities must be evaluated. Some risk will always be present. The analyst must categorize what is harmful and what is possible, and then develop security measures to correct the perceived risk.

Determine the Likelihood of Threat Occurrence

Likelihood is based on how likely the vulnerability is to be exploited. If the likelihood is low then it is less likely to happen. If so, then the risk is lower.

Determine the Potential Impact

Putting everything together allows the analyst to determine the potential impact of a specific event. For example, if your area is prone to flooding, how would that affect your business?

Determine the Level of Risk

Combining all the data you have collected into a Risk Matrix or Risk Register will help you determine the potential for damage.

For example: If your identified risk is low, the potential for damage is low and the likelihood of occurrence is low; then your risk will be low. However, should one of these items be high or medium impact or likelihood, then your potential for risk will be increased.

Using a risk register is essential to completing your risk assessment properly.

Finalize the Document and Report

After gathering and analyzing your data you will need to present a report Risk Assessment. This report must be clear and concise, detailing all activities that took place, their outcomes and potential risks.

The HHS website has some tools to assist with this effort.

Risk Mitigation

Risk mitigation is often the hardest part of completing a Risk Analysis in that now actual resources and money must be allocated. Establishing a priority list here is essential.

Your goal is to mitigate all negative issues. You probably won’t reach that goal, but you should try. At the very least, you should start you mitigation process with the most dangerous processes first and work your way down the list in order of severity.

Continuous Updates

By conducting an annual Risk Assessment, you can ensure you are meeting compliance standards, protecting your patients, and minimizing the overall risk to your medical practice.


Risk Assessments aren’t glamorous or even fun, but they are necessary to help prevent security related problems and meet governmental regulations.

Creating an outline of your Risk Analysis plan and breaking it into smaller pieces will help you complete it with the least amount of time and frustration. Unfortunately, the larger your medical practice, the more complicated the Risk Assessment.

The department of Health and Human services has several tools to help you conduct your own Risk Assessment. Oh, and remember Risk Assessments are required!

Posted in Uncategorized | Tagged , , | Comments Off on Healthcare Risk Assessment