Anthem Hack and Physician Practices

I will concede that the Chinese Army is not plotting to hack the database of your physician practice which contains thousands of records versus the tens of millions at Anthem. But hackers and thieves read the newspapers, well, actually more likely they read social media, and they get the idea that there is gold in healthcare databases. There is now a growing awareness of something I blogged about months ago, healthcare data is more valuable than credit card data. Not only that it is easier to steal.

Healthcare data (PHI) is poorly protected at the large institutions such as Anthem and the situation is even worse at small clinics and physician practices. Due to lack of enforcement of HIPAA rules they have fallen asleep at the wheel and are heading for a crash. Recent studies have shown that two thirds of clinics and practices who applied for meaningful use funding didn’t even do a true HIPAA risk assessment let alone start the remediation process called for in Core Measure 15. If hacked they may not ever notice unless a patient complains and that would take a long time to surface. Meantime the hacker has sold the data on the black market and moved on.

But what if the thief is not a hacker? As I reported earlier there are websites where the thief can hire a hacker to do the dirty work for them with no questions asked. As thin as the securiy walls are at most small clinics and practices it won’t take a genius to breach those walls.

How do you know if you are safe? The gold standard is a recent HIPAA risk assessment administered to meet the NIST standards. Typically this will involve the use of an SCAP scanner to evaluate the security of your computers and then another set of questions concerning privacy and security. If you don’t have a recent HIPAA risk assessment meeting the NIST standards you are definitely at risk not only for someone to hack your database but you are also at risk of qualifying for “willful neglect”. Willful neglect put simply means that you knew or should have known what you needed to do to protect PHI but you chose not to do it. Willful neglect can trigger fines of up to $1.5 million per incident.

In my next blog I will talk abou what is already happening to Anthem, class action lawsuits.