More on the Anthem Hack, and "What It Means":
I've posted several posts
on the Anthem hack, and I'm not the only one. AHLA sent out an email to its HIT and payers, plans and managed care practice groups explaining the hack and the class-action lawsuits already filed. More news is out today, from experts who think 2015 will be "the year of the healthcare hack
." Maybe, maybe not, but the news does bring a few additional issues to mind:
First, as the AHLA email points out, the initial lawsuits and some of the initial reporting point to the lack of encryption as a big factor. Some have indicated that the Anthem hack may cause HHS to harden the encryption requirement of the Security Rule (as you know, encryption is not a required element, only an addressable one, and HIPAA covered entities are free to forego encryption if they reasonably determine it's not right for them). However, the hackers apparently got user credentials; even if the data had been encrypted, the hackers could have used the credentials to de-crypt the data. The fact that encryption would've been irrelevant probably won't stop those claiming encryption should become required, but it's worth considering.
Secondly, some of the reporting is highlighting the "monetization" issue, which I've always seen as the issue. The hackers probably don't want the data because they're going to use the data; they want it so they can sell it to someone else who will use it for identity theft. If that's the case, there is a multi-tier market, which could be good or bad: as the data changes hands, it's harder and harder to catch the initial culprit; on the other hand, if there are several steps between the point of theft and the point of use, there are several opportunities to put systems or safeguards in place to catch the actors and/or prevent the improper use. In other words, you might not be able to stop the thief, but if you can stop the purchaser from using the stolen data, the criminal enterprise falls apart. Something to consider.
Another issue I hadn't thought about previously: not only can the stolen medical identity be used to obtain needed healthcare services (an impostor uses the stolen identity to directly receive needed healthcare services), the stolen identity could also be used to obtain unnecessary services. I can think of two examples: a stolen identity could be used to obtain Oxycontin or other prescription drugs that could then be resold, or could be used to bill for services that are not actually provided. In both cases healthcare providers would be required to be part of the scam, either unwillingly (a convincing doctor-shopping patient gets painkiller prescriptions) or willingly (a doctor bills for services not provided), but that's not inconceivable. My previous thoughts focused on the receipt of actual, needed services, in which case the value proposition is harder to see (you need an ultimate purchaser of the stolen identity who currently needs healthcare services); however, that's not the case, since you could get prescription drugs to sell on the black market. I hadn't considered that.
Finally, I had recently heard that while social security or credit card numbers don't bring much more than a couple of dollars each on the black market anymore, a stolen medical identity might be worth $50. In today's news from Reuters, it seems that a stolen medical identity is now worth only $20. These aren't hard and fast numbers, but still, that's a pretty big devaluation. Maybe the supply of medical identities (and concommitantly, the amount of hacking) is growing so fast the price is dropping; maybe hacker buyers are determining that medical identities aren't all that valuable; or maybe there's really not that big a market of buyers out there after all. I have no idea, but it's worth considering.
Blogger: HIPAA Blog - Edit your Template