Share this article on:
A new report by the Brookings Institution predicts a wave of HIPAA data breaches in 2015, claims that the healthcare industry is particularly vulnerable to attack and that there is a lack of consequences for healthcare providers that violate HIPAA Rules.
The report suggests that if breaches are to be avoided, healthcare providers, health plans, clearing houses and business associates must invest more heavily in IT security and must be further incentivized to make changes to improve privacy and security standards.
The Brookings Institution was founded in 1916 following the formation of the Institute for Government Research (IGR), and was the first organization devoted to analyzing public policy issues at the national level. The organization has produced numerous influential proposals for Congress, homeland security and a number of intelligence operations and has helped shaped debates and has influenced national policies.
The latest report focuses on data security in the healthcare industry, and the timing of its release couldn’t be more appropriate, in the week that followed the successful hacking of the nation’s second largest health insurer and caused the largest ever exposure of healthcare data with up to 80 million past and present policy holders potentially affected.
Brookings analyzed data breaches which had been reported to the Department of Health and Human Services’ Office for Civil Rights since 2008. The report indicates that HIPAA breaches have increased by 1800 percent since 2008, when the annual breach count was just 13. In 2013, the OCR received 256 reports of data breaches that had potentially exposed the records of more than 500 individuals.
In 2008, the total number of victims from the HIPAA breaches was approximately 500,000, yet in just six years that figure has risen to almost 9 million individuals. Healthcare providers have recorded the highest number of data breaches, followed by business associates, health plans and healthcare clearing houses.
Numerous Major HIPAA Breaches Predicted for 2015
HIPAA legislation has increased the standards of data security in the healthcare industry and has made it more difficult for hackers to steal healthcare data, but it is not possible to eliminate the risk entirely. Many organizations have struggled with bringing their organizations IT infrastructure up to date and have ensured full compliance. The report suggests that there has been little incentive for healthcare organizations to invest heavily in secure IT systems and this has left the industry particularly prone to cyberattacks.
Patients and health plan members may be shocked or outraged by the theft of their data, yet few would actually take their business elsewhere, as would happen in the case of a retail breach. In the retail industry there is high competition and companies that do not invest in data security stand to lose their customers to competitors.
The Brookings report suggests that in healthcare, where it is not so easy to change services, there is little financial incentive for IT investment. A health plan member cannot easily change health insurer and may be tied to a particular provider via a work health insurance scheme. Changing a doctor after a data breach is similarly unlikely to happen to any great extent.
Without an economic incentive to invest in digital security, such as the threat of losing business, major breaches will continue to occur. With the value of Social Security numbers and personal data so high, the number of attacks on healthcare institutions is only likely to increase.
HIPAA Violation Penalties Must Increase
The cost of a data breach are considerable: An organization must cover the costs of issuing breach notifications and mitigating any damage caused by a breach but the cost often comes from an insurance policy, as many covered entities have policies to pay the costs of cyber attacks.
The cost of the Anthem data breach may well end up exceeding $100 million, yet the majority of that money will be covered by the insurance policy it holds, and not by Anthem.
The report also puts any fines and costs into perspective, and cites a Wall Street Journal report in which Anthem is quoted as saying it “doesn’t expect the incident to affect its 2015 financial outlook, primarily as a result of normal contingency planning and preparation.”
Class action lawsuits are unlikely to be successful without significant harm caused by the breach, and this can be difficult to establish and measure. Even if the insurer is given the maximum possible fine by the OCR for non-compliance, it would still only represent a miniscule proportion of the $2.5 billion the insurance company generates each year.
According to Brookings’ Niam Yaraghi, “If Anthem were proven guilty of willful neglect, which is very unlikely, it could lose 0.00058 percent of its net income. Anthem makes that much money in one hour and 15 minutes.”
In order for the penalties to act as a major incentive to improve data security they must be sufficiently high to spur covered entities into taking action, and it is essential that HIPAA is policed rigorously to ensure that all data privacy and security rules and guidelines are adopted.