Over the past year, HEP has begun hosting a quarterly CTO Roundtable series, led by Scott Whyte (Partner of Value Creation), to discuss common challenges and opportunities across its healthtech portfolio. Scott, who has over 25 years of experience in technology leadership roles across provider, payer, and life sciences organizations, moderates these discussions with CTOs and tech leaders from past and present HEP portfolio companies as well as our executive partner network. The Roundtable initiative aligns with HEP’s ethos and value creation strategy, as we aim to foster an exchange of ideas and thought leadership for our stakeholders. We are excited to share the key insights from our latest session and welcome interaction and engagement from our network as always.
Generative AI – Potential and Considerations
GenAI and its potential use cases, benefits, and risks are a consistent theme within conversations across our strategic network. Provider and payer organization leaders have ubiquitously underlined AI as a key focus for their technology departments. Much of the reason for this push has been driven by margin and labor pressures faced by healthcare organizations in the current macroeconomic environment. Many organizations have indicated interest in adopting AI technologies as a response to these pressures. On the provider side, health system expenses are outpacing Medicare reimbursement by nearly two times, driven by increased utility, drug, and labor costs. Regional payer organizations, on the other hand, are facing tightened margins due to competition from large national entities. Both groups are responding by adopting automation strategies, but the extent to which AI has actually been implemented as a solution varies widely. 57% of respondents to HEP’s executive survey completed at the end of 2023 indicated their organizations have not yet adopted or invested in generative AI, but intend to once ROI is proven by others.
CTOs attending the Roundtable described their own experience with varying acceptance levels of GenAI among clients, from outright rejection due to reliability and security concerns to enthusiastic adoption due to its promise. For the CTOs themselves, the utility of GenAI to-date has been centered on internal technology development processes, rather than an attachment to an external product. Those tech leaders who had positive experiences incorporating GenAI into their product suite mainly used it within well-defined, narrow applications. Key GenAI use cases discussed included:
- Fraud, Waste, and Abuse Detection: Leveraging predictive algorithms for preemptive identification of non-compliant claims and irregular provider behavior.
- Claims Processing Facilitation: Utilizing AI to streamline claims processing operations, including data entry, submission, and payment reconciliation.
- Medical Coding Automation: Employing generative AI to enhance the precision, efficiency, and speed of medical coding and provider payment processes.
- Patient/Member Risk Assessment and Scoring: Deploying predictive models to proactively manage high-risk patients using medical history, demographics, and social determinants of health.
- Patient/Member Experience Enhancement: Applying AI to deliver real-time support and address inquiries on claim status, coverage, benefits, and submission.
Along with these use cases come corresponding levels of risk. GenAI models are still development stage, and when they are used across sensitive datasets such as patient information, their risks are significant. The key risks mentioned by Roundtable participants included:
- Large Language Model Hallucinations: GenAI may “hallucinate,” providing factually incorrect, irrelevant, or fabricated responses.
- Omission of Information: These models can omit crucial details due to insufficient training data, failure to prioritize key information, or limited model capabilities, leading to flawed outputs.
- The “Black Box” Challenge: GenAI lacks reasoning ability and generates responses by predicting plausible word sequences, making the reasoning behind outputs opaque and trust difficult.
- Misuse and Over-Reliance: Incorrect application of these models can result in harmful medical decisions, and excessive reliance may diminish healthcare providers’ independent judgment.
- Data Quality and Bias Perpetuation: Models trained on unrepresentative data sets may perpetuate biases.
- Privacy and Security Risks: GenAI may pose risks to patient health data protection via unauthorized or improper use of personal health information (PHI).
While the potential of Generative AI in healthcare is significant, it raises concerns about the security of PHI and data integrity. As AI models process and learn from vast datasets that often include sensitive patient information robust data security protocols are essential to prevent unauthorized access and breaches. A striking example of such a breach is the Change Healthcare cyberattack earlier this year.
Change Healthcare Cyberattack – Impact and Response
On February 12th, cybercriminals accessed Change Healthcare’s systems via a social engineering attack, exploiting a Citrix portal that was not protected by multi-factor authentication. Nine days later, the attackers deployed ransomware on the system and a nationwide outage of Change’s payment processing system ensued.
The Roundtable discussion pointed to the fact that the attack only further underscores the need for robust security measures and represents a pivotal moment for advocating stronger cybersecurity practices among health systems and payer organizations. A survey by the American Hospital Association (AHA) revealed that 94% of hospitals experienced financial impacts from the Change Healthcare cyberattack, with over half reporting “significant or serious” effects. Over 80% of hospitals noted that the attack affected their cash flow, and nearly 60% reported revenue impacts of $1 million per day or more. Additionally, 74% of hospitals reported direct impacts on patient care due to the cyberattack. Roundtable CTOs discussed how primary cyber security risk emerges not from hospitals’ core systems, but from vulnerabilities within third-party technology and service providers. An analysis of the largest data breaches in 2023 revealed that over 95% of major incidents involving the exposure of more than 1 million records are linked to “business associates” and external healthcare entities, including a notable breach at CMS among the top 20 largest incidents for the year.
President Biden’s FY2025 budget has a heavy focus on cybersecurity in healthcare. Initially, budget funding targets ~2,000 hospitals identified as most in need of assistance for financial support packages for cybersecurity programs. In subsequent years, the funding extends to all hospitals to promote the adoption of advanced cybersecurity measures. Importantly, the budget introduces new penalties for hospitals that fail to comply with the Administration’s defined essential cybersecurity practices. Starting in FY2029, hospitals not adhering to these standards could face penalties up to the full amount of their annual funding increase. These robust protections and consequences for non-compliance when it comes to patient data underscore the administration’s view of cybersecurity as vital to the future of U.S. healthcare.
In terms of risk mitigation strategies moving forward, CTOs mentioned that their customers had already begun diversifying their clearinghouse operations away from Change Healthcare and often across multiple vendors. CTOs overseeing data interoperability platforms noted the attack underscored the importance of HITRUST and Qualified Health Information Network (QHIN) certifications, as the safety and ease of data sharing have become invaluable. Ultimately, the CTO Roundtable contended that conducting regular cybersecurity risk assessments, executing business risk analyses, and developing action response plans are key to ensuring security and privacy in the increasingly interconnected healthcare IT ecosystem.
Looking Ahead
The next CTO Roundtable session, scheduled for mid-July, intends to build on these discussions and introduce new topics related to technology adoption, cybersecurity, and new challenges and solutions. We thank our tech leadership participants for their participation and look forward to continuing to share Roundtable insights here on HEP: Pulse Check.