Data breaches have grabbed headlines in recent months – and arguably none of them was more shocking than the one that occurred at Anthem, the nation’s second largest health insurer. That breach compromised the Social Security numbers, dates of birth and email addresses of about 80 million current and former Anthem members and employees. That’s the equivalent of the combined population of California, New York, Illinois and Maryland.
In the wake of the highly publicized Anthem and Sony breaches, the Senate Intelligence Committee recently passed the broadly bipartisan Cybersecurity Information Sharing Act (CISA) that would make it easier for private sector companies to share information about cybersecurity threats with government agencies. That bill is expected to be fast-tracked through Congress this spring.
The Center for Strategic and International Studies estimates that the total economic loss associated with cyber-attacks runs as high as $400 billion per year. That’s why Congress will likely act quickly to address the problem. While in committee, CISA received 12 amendments to help safeguard privacy. As the bill moves forward, organizations like the nonprofit Center for Democracy and Technology are calling for Congress to remove consumers’ personally identifiable information – in our world, HIPAA data – before it gets shared with government agencies. With those safeguards in place, it will be a bill worth passing. But legislation alone won’t be a total solution, especially in healthcare.
The shocking truth is that only about 6 percent of healthcare data breaches to date (as reported on the Health and Human Services “Wall of Shame”) are the work of hackers. The other 94 percent are the result of simple human errors and transgressions, usually made by a provider’s own employees or business associates. The miscues run the gamut from snooping into celebrity health files and improperly disposing paper records to losing laptops containing unencrypted patient data. In short, a hospital or health system might congratulate itself on avoiding an Anthem-scale breach, only to get stung by smaller breaches that can still tarnish its reputation and cost millions to remedy.
The minimum regulatory fine for a HIPAA violation involving willful neglect is a staggering $1.5 million per violation – and most data breaches involve multiple HIPAA violations.
The healthcare field lags far behind most other industries in this critical benchmarking process. For example, most large retailers routinely use maturity models to test the efficacy of their supply chain management. The consulting firm Accenture even has a “green” maturity model to assess its IT clients’ environmental and sustainability programs.
Healthcare data breaches come in all varieties, from the gigantic Anthem breach to the Cedars-Sinai snooping incident involving Kim Kardashian. We therefore need better board and C-suite education about what constitutes comprehensive IRM and how to continuously improve it. For years, healthcare organizations have been reactive (“Let’s spot-weld this problem until the next one comes along”). What’s needed is a governance overhaul to ensure that IRM is viewed strategically, where the goal is to make it more robust and mature with each passing year.
By improving information-sharing, the proposed CISA law may help prevent some – but certainly not all – the healthcare data breaches that lie ahead. To make real progress, our board rooms and C-suites need to approach IRM as an organization-wide discipline. Without addressing people and policies, techno-fixes will never be a complete solution.
Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US, is CEO of Clearwater Compliance in Nashville, Tennessee. He has also held EVP and CIO roles at Healthways, GE, and Johnson & Johnson.