In the years since the passing of the
2009 HITECH Act, more than 30 million people in over 900 various cases have
been affected by breaches of secure healthcare data. The HITECH Act
requires that HHS disclose to the SEC any incidents affecting more than 500
patients, but these numbers alone do not tell the whole story. In a
report to Congress, HHS disclosed that approximately 165,000 additional victims
had been involved in ‘smaller incidents’ that fell below the 500 victim
threshold.
The Ponemon Institute calculated that
data breaches are costing the healthcare industry roughly $5.6 billion annually ─
and the Identity Theft Research Center reported that healthcare data breaches
accounted for almost half of major incidents reported across all industries
(the first time healthcare has topped their list).
- The
turbulent rollout of public health insurance exchanges with many
questioning the amount of focus dedicated to ensuring their security
- Discovery
of the Heartbleed bug, which caused massive vulnerability across the
Internet and sent millions of consumers scrambling to change their online
login credentials
- The
theft of 4.5 million patient health records from Community Health Systems
(CHS) made possible by Heartbleed. This was the second largest
breach of health records ever in the U.S. and has many in the healthcare
industry fearfully anticipating future attacks made possible by
information stolen through the vulnerability
- Hackers
successfully breach the Healthcare.gov website and leave behind malicious
software. Though no patient data was believed to be taken, many are
worrying about further attacks as a new enrollment period approaches and
the exchange is flooded with new patient information
What are criminals stealing?
- Criminals
are targeting social security numbers (which in turn are used to steal
identities) and creating fraudulent credit cards, passports, and bank
accounts
- In
other instances, the goal is electronic Protected Health Information
(ePHI) or Electronic Medical Records (EMRs) which provide criminals with
the information needed to fraudulently receive healthcare services under
the guise of being insured – an $80 billion per year problem for the
public insurance sector alone
A Large Target Just Got Larger
In December, HHS proposed a new rule that
would widen the amount of information shared as part of the Medicare Shared
Savings Program (including ACOs) and “streamline access to such data to better
support program and ACO function and goals…” As shown below, this new rule
includes not only the beneficiary’s name, date of birth, health insurance claim
number and sex, but four other categories of information, including:
- Demographic
data, such as enrollment status
- Health
status information, such as risk profile and chronic condition subgroup
- Utilization
rates of Medicare services
- Expenditure
information related to utilization of services
Industry Regulators and Other
Healthcare Stakeholders Take Action
- In
2015, the HHS Office for Civil Rights (OCR) began a random audit program
not only of covered entities, but also business associates – expanding
their focus from providers to the broader healthcare landscape
- The
Financial Services Department of New York announced it will introduce
stringent cybersecurity standards and will begin performing targeted
assessments and reviews of insurance companies (which will likely impact
healthcare payers)
- The
National Health Information Sharing & Analysis Center (NH-ISAC) and
Center for Internet Security (CIS) announced a partnership to improve and
strengthen nationwide cybersecurity measures for the healthcare industry,
including a focus on medical devices
Stand alone, these measures will not
be sufficient to combat this criminal threat, but are the beginnings of an
alignment between regulatory and technology-based solutions that will mature
over time.
No comments:
Post a Comment