The Anthem hack shows there is no such thing as privacy in the health care industry

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.brookings.edu/blogs/techtank/posts/2015/02/12-anthem-hack-health-privacy

Data breaches in the health care industry happen more often than you might
think. The recent attack on Anthem exposed the personal information of
about 80 million patients and is the largest data breach in the history of
the industry. Financial institutions, retailers, and other organizations
have all suffered major breaches, but the health care sector is an
increasingly attractive target for hackers. The Office for Civil Rights at
the Department of Health and Human Services provides detailed information
on breaches in which the data of more than 500 patients was exposed.
According to our analysis of this database, the number of such incidents
has increased from 13 in 2008 to 256 in 2013. The total number of patients
affected by such privacy breaches increased from about half a million
people in 2008 to nearly nine million people in 2014. The following plot
shows the data breaches in four types of health care entities. The size of
the bubbles is proportionate to the total number of individuals affected by
the data breaches.

Although, it is neither economic nor technically possible to completely
eliminate the risk of data breaches, the current market structure and
regulatory framework in the health care sector differentiate it from other
industries and make it especially prone to future hacking attacks. This is
why we should expect larger and more frequent data breaches in the health
care sector in the future.

Digital security is not a business priority for health care organizations

Protecting the customers’ privacy is amongst the most important activities
of businesses in every industry, except the health care industry. Health
care companies have less competition than other industries where consumers
can choose between many different options and do business with an
organization that values privacy protection. For most companies, spending
on digital security is considered a strategic investment. It is a necessity
without which many of the current businesses will immediately vanish.
Imagine what would happen if the databases of a major online retailer, such
as Amazon, were hacked. Customers would immediately react by avoiding
Amazon and shopping from other online retailers. It is not hard to guess
that after the recent data breaches at Home Depot, many customers preferred
to swipe their credit card at other retailers such as Lowe’s rather than
risking it at Home Depot. If such breaches happen too often and receive
enough publicity, there is an increased probability that the targeted
businesses will lose their customers and eventually go bankrupt. This
creates a strong incentive for businesses to avoid data breaches through
strengthening their defenses. To attract customers, businesses should first
earn their trust.

Now consider the patients’ reaction to the Anthem hacking incident. They
are outraged, but lack useful responses. They can’t change their health
insurer and often must keep their health care provider. Most patients
receive health insurance through work or the government. If they are
covered under Medicare, Medicaid, or Military Health Insurances they do not
have any choice other than remaining with the same insurer. Employers
typically have long-term contracts with insurers to provide coverage for
their employees and it is very difficult to terminate such contracts. Even
if it was possible, despite their ethical obligations, the employers do not
have a direct and immediate interest to do so. After all, the breaches are
affecting their employees, not them.

Patients are unlikely to change their doctor if they are impacted by a data
breach. Most people choose their health care provider based on proximity to
their residence. There is a limited supply of such providers in a limited
geographical area. In many instances, there is only one specialist, testing
center or hospital within miles of a patient’s home. The scarcity of
specialized medical services means most patients have no choice. Patients
who overcome this barrier must still endure the emotional and medical costs
of switching their provider with no guarantee that the new provider will
better protect their privacy. The market for health care IT systems is
dominated by only a few vendors and the chance that two providers employ IT
systems with security features that are virtually the same is very high. It
is also conceivable that both providers belong to a larger health care
organization and use a single IT system, which suffers from the same
security problems.

In a market where such major security breaches have little to no effect on
the revenue stream of the organizations, there is no economic incentive to
invest in digital security and prevent a data breach.

Current health care laws fail to provide adequate protection

The Health Insurance Portability and Accountability Act, commonly referred
to as HIPPA, contains the most important set of laws that are specifically
designed to protect patient privacy. Although HIPPA suggests a set of
cautionary policies designed to protect patient privacy and prevent data
breaches, there aren’t significant penalties for violating these policies.
According to the latest revision of HIPPA, health care organizations that
“knew, or by exercising reasonable diligence would have known” of the
privacy violations but did not prevent them could potentially be fined a
maximum of $1.5 million. To put this in perspective, note that the net
income of Anthem in 12 months ending in December 31st, 2014 was $2.5
billion. If Anthem were proven guilty of willful neglect, which is very
unlikely, it could lose 0.00058 percent of its net income. Anthem makes
that much money in one hour and 15 minutes.

In case of such major data breaches, class action lawsuits may be possible
under state law. But these lawsuits happen after the damage from a breach
is done. Due to the unique features of personal health information, it is
very difficult to measure the financial losses of the victims and fairly
compensate them.

HIPPA does not provide sufficient privacy protections for patients. Laws
and regulations should drive the health care sector to implement proactive
security measures and privacy policies to prevent such risks from happening
in the first place rather than designing contingency plans to deal with
financial consequences after the fact.

Anthem itself provides the best support for these arguments. According to
Wall Street Journal,“it doesn’t expect the incident to affect its 2015
financial outlook, primarily as a result of normal contingency planning and
preparation.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!