Cybersecurity legislation only a partial solution
July 3, 2015
Data breaches have grabbed headlines in recent months – and arguably none of them was more shocking than the one that occurred at Anthem, the nation’s second largest health insurer. That breach compromised the Social Security numbers, dates of birth and email addresses of about 80 million current and former Anthem members and employees. That’s the equivalent of the combined population of California, New York, Illinois and Maryland.
In the wake of the highly publicized Anthem and Sony breaches, the Senate Intelligence Committee recently passed the broadly bipartisan Cybersecurity Information Sharing Act (CISA) that would make it easier for private sector companies to share information about cybersecurity threats with government agencies. That bill is expected to be fast-tracked through Congress this spring.
The Center for Strategic and International Studies estimates that the total economic loss associated with cyber-attacks runs as high as $400 billion per year. That’s why Congress will likely act quickly to address the problem. While in committee, CISA received 12 amendments to help safeguard privacy. As the bill moves forward, organizations like the nonprofit Center for Democracy and Technology are calling for Congress to remove consumers’ personally identifiable information – in our world, HIPAA data – before it gets shared with government agencies. With those safeguards in place, it will be a bill worth passing. But legislation alone won’t be a total solution, especially in healthcare.
The shocking truth is that only about 6 percent of healthcare data breaches to date (as reported on the Health and Human Services “Wall of Shame”) are the work of hackers. The other 94 percent are the result of simple human errors and transgressions, usually made by a provider’s own employees or business associates. The miscues run the gamut from snooping into celebrity health files and improperly disposing paper records to losing laptops containing unencrypted patient data. In short, a hospital or health system might congratulate itself on avoiding an Anthem-scale breach, only to get stung by smaller breaches that can still tarnish its reputation and cost millions to remedy.