The beat goes on when it comes to cybersecurity breaches in healthcare.
So far this month, Banner Health in Phoenix disclosed that it had data on 3.7 million people potentially exposed by a series of hacks. Another 3.3 million records were compromised at Newkirk Products, a company that issues ID cards for several Blue Cross and Blue Shield carriers.
Meantime, research firm Frost & Sullivan forecast that hospital spending on cybersecurity in the U.S. would grow by 13.6 percent annually for the next five years.
But does it really have to be this way? Niam Yaraghi, a fellow in the Brookings Institute’s Center for Technology Innovation, doesn’t think so.
In an op-ed for U.S. News and World Report this week, Yaraghi suggested that healthcare might want to take some cues from the financial industry. “Unlike healthcare organizations, the banking sector has mastered the art of mitigating the consequences of privacy breaches,” he wrote.
According to Yaraghi, banks have learned to notify customers of breaches quickly, then move to freeze the affected credit cards and send out new ones. Plus, more and more financial institutions are including fraud liability coverage with their credit cards.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
“On the other hand, the response of healthcare organizations to a data breach only consists of panic, mandatory reporting and in some cases, provision of identity theft protection,” Yaraghi said. “Despite the fact that medical data breaches can be disastrous for patients, healthcare organizations have no viable strategy or technology to effectively reduce the negative consequences of data breaches.”
They also seem to take a long time to go public when there’s a cybersecurity lapse. Banner Health said it discovered the hacks on its payment systems on July 7 and another breach of patient, beneficiary and staff data on July 13. Some of the attacks actually started in June, but the health system didn’t go public with the news until Aug. 3.
Yaraghi said that “independent research organizations” — you know, like Brookings — and the federal government need to step in and identify motives and methods of cybercriminals in healthcare. “The expertise and experience of law enforcement agencies such as the FBI’s cybercrime division or the Health and Human Services’ inspector general can also shed considerable light on other ways through which criminal organizations use stolen medical data to commit fraud,” he wrote.
The feds have actually started to act. On July 26, President Obama enumerated a policy that, for the first time, specifies how the federal government should respond to major breaches. It was not specific to healthcare, though the White House named a threat to public health as one criterion for declaring a breach a “significant cyber incident.”
Still, it is a reactive policy, not a proactive one that seeks to head off cybersecurity incidents.
Photo: Flickr user Nick Carter
