Data Breaches and Transparency: Is Health Data Safe?

There is no denying that all hands are on the throttle with a clear roadmap for how to prevent healthcare data breaches. Billions are being spent annually to implement test remediation strategies to lock down all data stores, improve security, monitor bad actors and improve technology including employee and contractor awareness and training.

Vendors are being put through the ringer to have cyber security liability insurance coverage up to and in excess to $100MM for minor and major access to member and patient data and are subjected to periodic assessments and mandatory Fraud, Waste and Abuse training to ensure there is transparency during and after delivery implementation to ensure effective monitoring using standards of operations (SOP) based in best practices. All good things! However, is there similar effort to ensure that if there is a breach, what protocols, business continuity planning, budgets and resources are committed, and in place to support a mitigation strategy when things go wrong. It is not a matter of "if" but "when".

Healthcare data privacy and security concerns are pushing healthcare payers and providers to reconsider whether or not they want to adopt mobile and digital health tools, according to the 8th Annual Industry Pulse Report from Change Healthcare and the HealthCare Executive Group according to HealthITSecurity in March 2018. So how are payers and providers managing the demand for digital capabilities with evolving sophistication and persistence of hackers?

What studies suggest that what is critical to successful data management is how a breach is managed which starts with transparency between data owner, employees, contractors, partners, vendors, clients and impacted customers. Notification that is timely, complete along with continuous communication is even more valuable to be effective.

Accordingly to Healthcare IT News, Minnesota-based Associates in Psychiatry and Psychology notified 6,546 of its patients that their data may have been breached after a ransomware attack hit the provider in March 2018. Hackers breached APP's servers somewhere between the evening of March 30 and the morning of March 31. Officials said that all of the data files on its main servers were locked down with a RSA2048 encryption protocol, and the hackers disabled the system restore function on all impacted computers.

Are members concerned -- yes!! Millions of members are impacted every year and have no control over breaches which create inconveniences, require closing accounts, adding expensive credit monitoring services, and set up of even more notifications of transactions than "Breaking News" alerts on cable television. What is even more concerning is a pattern which reveals that, in many cases, payers, providers and their 3rd Party vendors go months before realizing they have been hacked! Types of data being exposed are a combination of patient names, Social Security numbers, phone numbers, driver’s license numbers, financial account details, credit or debit card information, medical information, provider information, and, if applicable, Medicaid identification numbers, according to Healthcare IT News.

What members and patients should know is that this is work in progress. What providers need to understand is that they cannot take their eye off the ball. There are some leaders in the Cloud space who are taking measures to ensure they are incrementally improving their infrastructure and underlying technology and services.  As early as July 2018, Google Cloud and ClearDATA, a healthcare cloud provider, teamed up to bring cybersecurity and compliance tools to IT developers in the healthcare and life sciences industries. They reported that their collaboration resulting in connecting pharmaceutical, life sciences and healthcare developers with a secure environment to access Google Cloud's analytics and machine learning tools, the companies aim to help scale health IT infrastructure and accelerate healthcare innovation.

According to HealthITSecurity, "Healthcare organizations are transitioning from negative to positive incentives to influence consumer behavior much faster than most would expect, and payers are also taking aggressive steps to advance value-based care and crack the code to successful consumer engagement." What do member and patients care? They want access to their health information, to their doctors and healthcare providers 24/7 and they are increasingly sharing health-related data with providers -- FitBit, NUMi, myChart to name a few. The alarms have been muted because other than the actual breach announcements, most members and patients are not even aware until there are confirmed attacks by their preferred financial institutions and credit monitoring organizations and/or disclosure of compromising data showing up in social media.  

The true impact is yet to be understood and is an on-going challenge so stay engaged, turn on those courtesy notifications and follow up.  For more information email us at info@thorneyadvisors.com.