Health Data Breaches: Does the Federal Government Already Have the Authority to Begin Fixing the Problem?

Wednesday evening, Anthem, the second largest health insurance company in the United States, revealed that it had suffered a massive data breach. Anthem covers one in nine Americans and, as The Washington Post reports, this may amount to the largest data breach yet at a major insurance company. The problem with cybersecurity at many large organizations is that it doesn't easily factor into the cost-benefit risk analysis that executives use when making decisions to allocate time and money. And that's a problem.

While many will use this event as evidence to support a national data breach notification law, such a requirement would in fact be nothing more than a bandage, and would hardly prevent such breaches from occurring in the first place. It turns out, however, that the federal government may already possess the authority to encourage health insurance companies to implement stronger data protection technologies. In order to explore this possibility, we will look at the example provided by another industry plagued by breaches and fraud: payment cards.

Just like healthcare organizations, U.S. banks and financial service companies have lagged behind when it comes to utilizing the most secure technologies. While the rest of the world took steps to implement secure EMV payment card standards – which utilize secure electronic chips to facilitate financial transactions – U.S. banks continued to issue magnetic stripe cards, which are highly insecure and can be easily duplicated by criminals.

U.S. banks have finally begun issuing chip-based smartcards, with most scheduled to roll them out by the end of the year. But how did we get here?

The Durbin Amendment to the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act provided the Federal Reserve with the authority to adjust interchange fees – a type of fee charged by banks during a transaction – in order to encourage the adoption of fraud-prevention measures. Those measures included secure EMV payment cards.

So how does all this relate to healthcare data breaches?

Once again we are faced with an industry – healthcare providers and insurers – that generally fails to implement the most secure technologies when it comes to protecting their customers' data. While insurance providers are largely regulated at the state level, the Affordable Care Act (ACA) significantly increased the role of the federal government in regulating the private insurance marketplace. A cornerstone of the law was the creation of exchanges that offer ACA compliant-plans and provide consumers with the ability to receive federal tax credits towards purchases, thus incentivizing exchange participation on the part of the insurers.

The Department of Health and Human Services (HHS) has issued numerous rules mandating the types of plans that are eligible to be listed on the exchanges. However, what about data security?

HHS should begin establishing a set of minimum privacy and data security requirements that all companies must adhere to in order to receive the privilege of exchange participation.

Indeed, President Obama's Executive Order issued October 17, 2014 mandates that all executive departments and agencies releasing personal citizen information require "the use of multiple factors of authentication and an effective identity proofing process" before such data is released. Why should we require the federal government to take extra care when handling our personal data, but not private companies participating on government-run exchanges? HHS should ensure that it fully implements both the spirit and the letter of President Obama's executive order by prioritizing data privacy and security.

This potential solution would not completely fix the problem. For example, there is still the issue of data security on the part of providers. Additionally, insurers that have decided to forgo the exchanges would not feel the same incentives as exchange participants. But it would go a long way towards cementing health data security as a key federal priority moving forward, and force the nation's largest insurers to begin getting serious when it comes to our personal medical data.

Add comment

Security code

Learn How