Cyberspace is the new “Wild West,” according to President Obama, but the government can’t be the only sheriff in town. President Obama addressed these remarks to a crowd of tech industry leaders at a White House cybersecurity summit last week. He also signed an executive order on February 13, outlining a path for Congress to implement a national standard for responding to cyber attacks. Obama wants companies to notify their customers within 30 days if customer information has been compromised, and he wants the private sector to work with the government in responding to data breaches.

The President’s action comes after the high-profile attack on Anthem, the nation’s second-largest health insurer. The Anthem hack exposed the personal information of about 80 million customers. Hackers accessed personal information, like names, birthdays, addresses, and social security numbers, but there’s been no indication that health data was compromised. The incident highlighted the healthcare industry’s vulnerability to cyber attacks – something the FBI warned healthcare providers about last year. The FBI pointed out that healthcare providers’ cybersecurity systems were “lax” compared to those of other industries.

However, the healthcare industry, until now, has had fewer incentives to secure data than the retail or banking sectors. The Anthem hack made headlines, but retail breaches, like those at Target and Home Depot, have been covered more extensively than healthcare breaches. According to the Department of Health and Human Services, there have been 17 healthcare breaches affecting 500 or more people just since October 1, 2014. Yet, customers whose healthcare data has been compromised have few options. If a social security number has been illegally accessed, a customer can’t simply get a new one, as would be the case with a compromised credit card number. People covered by work or government insurance plans may not be able to change insurance providers, and people who are able to change insurance plans could be forced to find new providers or medical centers to comply with a new plan. Additionally, the Health Insurance Portability and Accountability Act (HIPAA), while intended to protect patient data, does not levy significant penalties on healthcare providers for neglecting to secure information.

The Anthem hack has made it clear that the stakes are high for securing customer information. The private sector may be wary of working with the government on a privacy initiative, but collaboration may be necessary in changing the healthcare industry’s vulnerable status quo.

Elizabeth Mulkey

Comments are closed.