Medical Data Breaches: What Should We Do?

+

data breach

~ by Dr. Irving Loh, MD

Unless you’re a health care practitioner who’s been in a coma or a survivalist just now emerging from a cave, you’re aware of the sophisticated hacker attack on Anthem’s information technology network that exposed about 80 million current and former subscribers. You might think about going back into that cave.

This is the largest known and reported (possibly important caveats) illegal intrusions into a healthcare company (America’s second largest) gaining personal information such as names, addresses, social security numbers, medical IDs, email addresses, income and employment records. Exactly who perpetrated is still unknown, but the usual suspects of state or organized criminal hackers are most likely.

In the letter we received from Anthem’s CEO, Joseph Swedish, the company found no evidence that credit card or personal medical data were compromised, but that is of little solace since hackers have enough to create identity theft headaches for years to come. Personal medical data may be used by criminals to fabricate insurance scams or extort monies from patients with sensitive medical data.   State sponsored entities might pay to know the medical history of important individuals. Regardless, these are the trees and the problem is the forest. The data was vulnerable and apparently unencrypted. More on that in a moment.

The Health Information Trust Alliance, a data security collaborative known as HITRUST, reports that Anthem adopted “strong information security controls” and participated in “cyber preparedness exercises” that were “crucial in their ability to detect, analyze, remediate and collaborate swiftly and effectively.”

Wait. The horse did leave the barn. This sounds more like a PR damage control statement.

After recent cyberattacks on Target, Home Depot and Sony, healthcare companies with their huge repositories of sensitive information should have gone into warp drive to secure their data. The most affected state insurance commissioners (CA, NY, OH, GA, etc.) and the U.S. government are now launching a nationwide investigation to focus on whether Anthem heeded earlier warnings about their security weaknesses and whether encryption should have been implemented.

Anthem’s Track Record

Other sectors, such as finance, have upped their security for years, but Anthem faced breaches before:

  • In 2006, personal information of 200,000 members were stolen from a vendor’s office.
  • In 2008, the insurer offered free credit monitoring after 128,000 members’ personal data were inadvertently placed online.
  • In 2013, federal regulators identified an Anthem data breach involving 612,000 customers which prompted a penalty of $1.7 million.
  • In 2014, the FBI sent out a healthcare industry-wide warning to tighten up their security measures.

Anthem stated encryption would not have blocked the cyberattack as the hackers had obtained a system administrator’s log-in. Fair enough, but the data obtained could have been encrypted at a level that dynamic decryption keys on the other end would be required to make any sense of those stolen data. From the subscriber vantage-point, perhaps higher levels of encryption with more complex passwords, perhaps randomly generated, or biometric markers, need to be in place. A problem with biometric data is that you are stuck with them…if they get hacked (as they may be in the future), you can’t change your fingerprints, retinal scan, or earlobe metrics (OK, our plastic colleagues can mess with the ears).

To its credit, Anthem intends to notify patients with compromised data, and provide credit monitoring and identity protection services at its expense.  It is unclear for how long, although California law requires at least one year. Anthem also provided a hotline and website for queries.

Should HIPAA apply?

Alexis de Tocqueville saw in Americans the cultural character trait of fair play. Since the advent of that necessary evil, HIPAA, healthcare practitioners have been subject to large penalties for each proven HIPAA violation. Even without the specific medical data, the personal information compromised by this mega-hack fall under the jurisdiction of HIPAA. Take that penalty times eighty-million, and the Department of HHS will have made a dent in paying down the national debt. And forensic accountants need to make sure that any levied penalties are NOT cleverly passed through to their subscribers, but should come out of company profits and executive bonuses. THAT would go a long way towards ensuring future data security. Write your congressman. Not a phone call or a blast fax, but write…it carries ten times the weight because members of Congress and their staffs are aware of the effort involved in creating it.

What do you think?

Irv Loh MDBio:

Dr. Irving Kent Loh MD, FACC, FAHA (Epidemiology & Prevention), FCCP, FACP is a board certified internist and sub-specialty board certified cardiac specialist with an emphasis on preventive cardiology. He founded and directs the Ventura Heart Institute, which conducts education, research and preventive cardiovascular programs. Dr. Loh is a former Assistant Professor of Medicine at UCLA School of Medicine. He is Chief Medical Officer and Co-founder of Infermedica, an artificial intelligence company for enhancing clinical decision support for patients and healthcare providers.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>