Another day, another breach. Target, Home Depot, Sony, and now Anthem (formerly WellPoint). But the last one is quite different: It’s potentially the largest known HIPAA-related breach in history.
When Target and Home Depot were breached, the intruders made off with credit card information. Thanks to 1974’s Fair Credit Billing Act you can refuse to pay for anything fraudulently charged to your credit card. Because of this Amex, Visa, et. al, have robust anti-fraud mechanisms and they can always just nuke the old number from orbit and issue you a new card. It’s a hassle but that little provision — you are only liable for what you actually bought and not what a thief charges — firewalls your identity and keeps you safe.
When Sony was breached, the intruders made off with copyrighted works, proprietary compensation data, and email logs. There was financial loss to the corporation and some embarrassment of the executives, but mainly the people who got hurt were the rank-and-file who used their corporate email for private matters. Quite unfortunate but we can at least learn from it and keep our personal communications out of our work email.
But when Anthem was breached, the intruders were after the keys to the kingdom: Name, Address, Phone, Email, Medical Insurance Number, Social Security Number, Compensation Data, etc. Even though there is a stringent Federal Law regulating the handling of personal health information (‘PHI’ which includes all of the above items), it does nothing to firewall your identity. There are few steps you can take on your own to keep yourself safe from something like this. The worst part is, this is only unique in scope. PHI breaches happen all the time.
The First Rule of PHI Club
The law protecting your health information is the Health Insurance Portability and Accountability Act of 1996 (subsequently amended in 2009 and 2013). HIPAA (‘hip-PAH’) is a broad law that increased the accessibility of healthcare in the US by making it easier to change insurers (Title I) and stipulating certain data interchange standards (Title II). It’s in Title II, among the rules instantiating NPI, specifying EDI transactions, and requiring CPT/ICD codes that we finally find the two rules for which HIPAA is now primarily known.
If you’ve gone to a medical office in the last few years you’ve almost certainly been asked to sign a HIPAA form — This is The Privacy Rule. Insurers, Providers, and Business Associates (i.e., vendors selling software and services to Insurers and Providers) are all compelled by it to only share your information when necessary to provide care. They must also notify you of that sharing, hence the forms. For example: Your doctor can tell your insurer that you’re HIV+ to justify antiretroviral medication, but if your prospective landlord calls because he’s doing some kind of creepy background check they have to turn him away.
The Privacy Rule is all about doing the right thing (i.e., not telling the creepy landlord anything) and so it gets a lot of attention. The Security Rule is a different animal and it’s often misunderstood. Let’s start by quoting the Health and Human Services summary:
The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
Specifically, covered entities must:
Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
Identify and protect against reasonably anticipated threats to the security or integrity of the information;
Protect against reasonably anticipated, impermissible uses or disclosures; and
Ensure compliance by their workforce.
There’s much more than quoted here, but notice that the concept of taking ’Reasonable’ measures appears three times. Now read this from Anthem’s CEO, Joseph R. Swedish, on the attack:
Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data. However, despite our efforts, Anthem was the target of a very sophisticated external cyber attack.
We’ll have to see how it shakes out with the HHS Office of Civil Rights (the regulators who enforce HIPAA) and Anthem’s lawyers, but if Swedish’s statement is accurate then Anthem could plausibly face little to no penalty for the breach. Maintaining reasonable IT security measures grants them ‘Safe Harbor’ in the parlance of regulators. This actually makes sense because dedicated attackers are incredibly difficult to completely stop.
Which brings me to my thesis: When a dedicated attacker comes knocking, HIPAA won’t protect you …but it could.
Risks and Rewards
Allow me to use another type of crime to illustrate my point. Willie Sutton is famously (mis)quoted as robbing banks, “Because that’s where the money is,” — Yet modern bank robbery is uncommon because it’s simultaneously more difficult and less valuable. There are many reasons (including silent alarms and SWAT teams) but three are most interesting for our purposes:
Dye packs render stolen money un-spendable
Inflation has made cash 24X less valuable than 100 years ago
Modern Banking is largely electronic so branches have less cash-on-hand
The problem with HIPAA’s Security Rule is that it does nothing to decrease the value of breaching PHI. If anything, the irreplaceable nature of your identity-related data just makes big data stores more appealing. Sure, Anthem gave everyone 90 days of credit monitoring but that just means the attackers have to wait before they impersonate you. It’s not like you can call Uncle Sam and ask for a new SSN.
Why did Anthem have Social Security Numbers for their customers anyway? Because, in its ever-expanding role as a de facto national ID number it’s also become a de facto Master Patient Index (MPI). In the world of Healthcare IT, a true MPI helps associate the x-rays of the broken arm to Mary Smith (8yo), the x-rays of a broken hip to Mary Smith (88yo), and not vice-versa. But MPIs usually only exist within a single provider organization or network. What happens if the Radiologist is associated to the hospital and the Referring Physician is an independent family physician? Or if the patients don’t have the right health insurance information with them on the day of the visit? Absent another way to uniquely identify patients to each other and to the insurer, they just use the SSN and call it a day.
Provider organizations have another reason for recording your SSN: Collecting on Medical Debt. Not everyone will be delinquent, but they don’t know who will be so they collect a banking identity sufficient to send a debt to collections (or open a new credit card…) from everyone. After all, breach penalties are in-for-a-penny, in-for-a-pound so they might as well have as much on file as possible. The problem is that this presents a huge risk to you for what is a relatively small average payout. Here are the particulars about medical debt in the US today:
The average bill is $579
Recouping cash in the ballpark of $4B does seem like big money, but in the context of spending that reached $3.8 Trillion in 2013, it’s pretty small. And the exposure risk affects all consumers, not just the delinquents. This is health insurance related so we can talk about the costs and benefits of pooling risk, right? Well, average those collections across every American at risk and the benefit is only $12.25 per person.
Seizing HIPAA’s Missed Opportunity
The missed opportunity for HIPAA and its amendments was to go the extra step and create a separate Medical Billing Number for each American while outlawing the use of Banking Identities in Healthcare EDI. The MBN could have been specific to healthcare and replaceable by HHS in the case of a breach. This would have contained identity theft and allowed you to halt the damage in case of theft. It would also dilute the value of stealing either an MBN or an SSN, increasing the security of personal data in the process.
Unfortunately the current climate of Healthcare discussions in Washington is pretty unproductive and we’re unlikely to have anything related to this through Congress right now. But there is still a chance to decrease our exposure.
First, the Office of Civil Rights should begin asking during their random HIPAA audits:
Why do Insurers need to store financial information for people covered by employer-sponsored healthcare plans? Why do they need to store banking information except a credit card from people at all?
Why do Providers store banking identities for anyone covered by a qualified insurance plan as mandated by Obamacare? Why do they need to store any financial information except a credit card with a limit in excess of the patient’s deductible?
Also, Anthem can react to this breach by taking a proactive security stance towards their customers’ information:
Create a Standard Patient ID (SPI). Offer to cooperate with other interested payers and providers.
Make it possible to nuke-and-replace breached SPIs in the future.
Publicly divest themselves of their customers’ banking identities.
Accept only provider claims addressing the SPI
Deny any and all provider claims with banking identity information present
It’s already well-understood within the industry that working with PHI presents substantial risk. And Healthcare IT leadership consistently delivers sophisticated security solutions to make it difficult for intruders to access sensitive information. All that remains is for them to recognize that the ultimate security is to never have the data at all.