How Kodiak protects your data's privacy and security
Attend Kodiak Summit Terrain and learn why you can rest easy when you send your sensitive financial information to Kodiak.
At last count, the number of Kodiak Platform and Revenue Cycle Analytics users was 2,100 hospitals and 300,000 physicians with combined annual gross revenue of more than $1.4 trillion and for whom Kodiak aggregates more than 3 million transactions each day.
That’s a lot of data moving back and forth between users and the platform at a time when the number and seriousness of healthcare data breaches are escalating. (For more on that, please read “Learn how your hospital can outsmart cybercriminals” by yours truly.)
Yet despite all the risks lurking out there, Melissa Dill, Kodiak’s Chief Data Privacy Officer, says she’s able to fall asleep and stay asleep every night.
But that doesn’t mean Dill doesn’t wake up thinking about it. She does.
“I wake up thinking about all those bad actors out there who are paid handsomely to figure out how to steal healthcare data because it’s so valuable,” Dill says. “We have to outsmart the bad actors. We have to figure that out every day to stay ahead of them.”
In doing so, Dill and her team take that worry off the shoulders of Kodiak Platform users and place it on themselves. Kodiak Platform users can instead focus on learning and using the tool. One upcoming learning opportunity, Kodiak Summit Terrain, is an in-person event to be held Oct. Kodiak Summit Terrain, is an in-person event to be held Oct. 27-29 at the Brown Palace Hotel & Spa in Denver.
I asked Dill a few questions about how Kodiak protects the privacy and security of Kodiak Platform user data and why she’s cautiously confident—yet continuously on guard—regarding the job to be done for hospitals, health systems, and medical practices that trust Kodiak with their data.
***
Busch: How many different data points or data elements do you collect from a single RCA user?
Dill: We collect a standard set of data elements for each user. The number of individual or different data elements is about 200. Some of the data elements in some cases might be duplicative. An example may be one doctor practicing at different sites at the same hospital or in the same health system.
Busch: Where do those data elements come from? Where are users sending the data elements from?
Dill: The two primary data sources are a customer’s patient accounting system their electronic data interchange (EDI).
Busch: How do Kodiak Platform users send or transmit their standard set of data elements to you?
Dill: Platform users send us data via SFTP, which stands for a Secure File Transport Protocol. Companies use SFTP to securely move files over a network, especially files with sensitive data. The system encrypts the data, and it uses what’s referred to as a “secure shell” to authenticate and then verify the identity of the sender and the receiver at each end of the transmission.
Busch: How often do users send their standard set of data elements to you via SFTP?
Dill: Users set up a feed to automatically run each day. They typically set it up to run late in the evening well after the close of business. The exact time and how long it takes to send depends on the size of the files and the amount of information that’s coming through.
Busch: Does the data go from point A to point B without any stops like an express train? Or does it make any stops along the way like a local train? And how do both ends know that the data reached its destination?
Dill: It’s an express. No stops. The data goes directly from the user’s systems to Kodiak’s servers and applications via SFTP. We’ll be notified if the files didn’t load correctly. We refer to that as “erroring out.” Sometimes it’s for a simple reason like a disruption in transmission. Sometimes it’s because of problems with the data itself. We work closely with our customers to ensure that daily transmissions happen error free.
Busch: How do you know that the system works as intended and protects the privacy and security of user data sent to Kodiak? Do you follow any standards? Do you test it?
Dill: Kodiak does both. First, we adhere to NIST standards for data protection. The NIST is the National Institute of Standards and Technology. We also follow NIST’s privacy framework. Second, the American Institute of Certified Public Accounts certifies Kodiak for meeting the AICPA’s standards for System and Organization Controls. In March, we achieved SOC 1 Type 2 and SOC 2 Type 2 certification for products and technology enabled services.
We’re assessed annually for SOC 2 and semiannually for SOC 1. A CPA firm comes in and gathers information and evidence to make sure that we’re operating according to both sets of SOC standards. Then we do our own regular data validation checks to verify that we’re getting the right data from the right user and that we’re mapping their data to the right applications on the platform.
Busch: Is there a point at which a user’s data is the most vulnerable? Is there a weak link in the chain?
Dill: There is risk everywhere. There is always risk when you’re moving data. There is always risk when you’re storing data. That’s why we work hard to stay one step ahead of the bad actors out there trying to find that weak link in the chain and exploit it. We build systems and implement tools to protect data at every step in the process. We have an entire portfolio of tools that protect data, and we’re continuously expanding that portfolio.
Busch: We’ve talked a lot about technology, but it’s people who hit the buttons and click on things. What staff education and training does Kodiak do to protect the privacy and security of platform user data?
Dill: Staff education and training is a huge component of our data protection program. It starts with new hires. They go through extensive training. They have to pass a data privacy module, an information security module, and a HIPAA business associate module. They sign code of conduct and acceptable data use agreements. For existing employees, we do mandatory annual training and episodic and periodic training exercises such as a quarterly phishing test. We do this by sending out a “trick email” to see how many people fall for it. If you do, you’re automatically enrolled in additional training.
Busch: Last question, Melissa. Artificial intelligence is everywhere. First, it’s AI. Then it’s generative AI. Now it’s agentic AI. All AI feeds on data. How has the demand for AI solutions to improve healthcare business processes like revenue cycle affected what you do?
Dill: That’s a great question. There is a lot of noise out there about AI, but we take all of it very, very seriously because our customers have entrusted us with their data. Not unlike everyone else, Kodiak is evaluating our options for using AI to make our own products and solutions better. It is important to note that we do not use customer data to develop, test, or train AI models from a third party tech company . We do want to be innovative. But we also want to be smart and protect the privacy and security of our customers’ data as well as Kodiak’s data.
Busch: Thanks, Melissa. This has been great. I’m sure Kodiak Platform users appreciate the opportunity to look behind the curtain and see how you and your team keep their data safe.
Dill: Thanks, Eric. Like I said, we’re cautiously confident but always on guard.
***
We’ll be talking more about data privacy and security and how it relates to the Kodiak Platform and RCA Next, the next generation of RCA, at Summit Terrain. Registration is now open.