Guest post by Rachel Marren
One of the top headlines of the last week is the Anthem security breach, which, according to USA Today, might be the biggest healthcare breach of all time, with up to 80 million individuals affected. Although no medical or credit card information was stolen, personal data such as names, social security numbers, and birthdates have been compromised.[1] As reported by The New York Times, this information could be used for identity theft or to target government or corporate leaders.[2]
The Health Insurance Portability and Accountability Act (HIPAA) requires public disclosures of healthcare information breaches involving more than 500 individuals,[3] which can be viewed on a page of the US Health & Human Services Office for Civil Rights[4] often referred to as, “The Wall of Shame.” However, many industry experts argue that this and other measures required by HIPAA and the HITECH Act are not enough to protect patient privacy.
One big topic of contention is encryption, which is recommended but not required by HIPAA. Anthem did not encrypt Social Security numbers or birthdates, and claims that encryption would not have prevented the breach. However, outsiders have suggested that encryptions that limit the amount of data that administrators can access could help control major breaches.[5] With calls for increased encryption and the ubiquity of articles with titles such as, “10 Ways to Strengthen Healthcare Security”[7] and “Health Information at Risk: Successful Strategies for Healthcare Security and Privacy”[8], it is clear that there are measures that can be taken that currently are not.
This breach has raised serious concerns among consumers, industry members, and public officials. Although medical information was not accessed in this specific incident, patients are seeing that information about their health is not as secure as they would like. This is extremely relevant today, with the electronification of medical records and healthcare apps on the rise. Now patients not only have to feel comfortable disclosing personal information to their doctors, but also must feel confident in the security systems guarding their doctors’ electronic records. If physicians and patients are to trust new technologies, it is crucial that information security in the healthcare sector undergoes major improvements.
[1] http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/
[2] http://www.nytimes.com/2015/02/07/business/data-breach-at-anthem-may-lead-to-others.html?ref=health&_r=0
[3] http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
[4] https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
[5] http://www.pbs.org/newshour/rundown/lack-health-care-cyber-security-standards-raises-questions/
[6] http://www.wired.com/2015/02/breach-health-insurer-exposes-sensitive-data-millions-patients/
[7] http://www.informationweek.com/healthcare/security-and-privacy/10-ways-to-strengthen-healthcare-security/d/d-id/1306631
[8] http://www.ehealthnews.eu/images/stories/pdf/successful_strategies_for_ health care_security_privacy.pdf