Experts largely agree: Healthcare hacks are going to happen, and the rate and severity of breaches are only expected to increase.
The future looks bleak for healthcare data privacy. Or, maybe the industry should be honest with itself and realize that privacy does not exist in healthcare, suggests a post from the Brookings Institution's Center for Technology Innovation.
Niam Yaraghi, a fellow in the Center for Technology Innovation, and Joshua Bleiberg, a research analyst for the center, write that the Anthem breach demonstrates the nonexistence of privacy in healthcare, as well as the lack of incentive for healthcare organizations to truly protect patient data.
The number of healthcare breaches rises each year. In 2008, there were 13 reported incidents of breaches exposing the data of more than 500 patients. In 2013, that number rose to 256, according to Brookings' analysis of the Office for Civil Rights' breach reporting database.
Mr. Yaraghi and Mr. Bleiberg write that protecting customer privacy isn't as prioritized in healthcare as it is in other industries because healthcare companies face less competition against other providers. "Imagine what would happen if the databases of a major online retailer, such as Amazon, were hacked," the authors write. "Customers would immediately react by avoiding Amazon and shopping from other online retailers….If such breaches happen too often and receive enough publicity, there is an increased probability that the targeted businesses will lose their customers and eventually go bankrupt."
Healthcare organizations, the authors argue, don't face that same economic incentive for a number of reasons. Patients aren't likely to change providers, even if the provider suffers a data breach, largely because they choose providers based on geographic proximity. For many patients, nearby providers are in a limited supply. "The scarcity of specialized medical services means most patients have no choice," they write.
What's more, even if a patient does choose to switch providers, there are emotional and medical costs involved that still won't guarantee the protection of their information, Mr. Yaraghi and Mr. Bleiberg write.
With regard to payers, most customers don't have a choice in selecting health plans, according to an editorial written by the editorial board of The Bangor Daily News which also argues there is no incentive in healthcare to protect patient data.
According to the editorial, approximately half of Americans receive health insurance through their employers, which means they don't have a say in the payer. If a customer wants to switch payers, they have to wait until the next open-enrollment period.
Even HIPAA isn't an adequate safeguard against data breaches, write Mr. Yaraghi and Mr. Bleiberg in the report from Brookings, who argue the penalties for violating policies designed to protect patient privacy aren't significant enough. For example, HIPAA imposes a maximum penalty of $1.5 million for healthcare organizations that knew of privacy violations but did not prevent them. In the latest Anthem breach that compromised the records of 80 million people, a $1.5 million penalty on Anthem's $2.5 billion net income for 2014 would hardly make a dent, totaling just 0.00058 percent of the payer's income. "Anthem makes that much money in one hour and 15 minutes," Mr. Yaraghi and Mr. Bleiberg write.
If the healthcare industry wants to prevent future data breaches, the priorities and incentives to do so have to become apparent.
Both the editorial piece from The Bangor Daily News and the report from Brookings suggest increased laws and regulations might be the best course of action in combating cybersecurity, the former suggesting harsher penalties and requiring compliance with security practices, and the latter suggesting a more proactive approach to prevent risks from occurring at all.
"Hackers' abilities will continue to evolve," concludes the editorial from The Bangor Daily News. "So should cybersecurity laws."
More articles on cybersecurity:
ERI CEO: 'Electronic waste needs to be addressed'
Obama calls for more direct data sharing between public, private sectors
White House announces new cybersecurity agency