Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Does Federal Health Data Warehouse Pose Privacy Risk?

Posted on June 23, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Not too long ago, few consumers were aware of the threat data thieves posed to their privacy, and far fewer had even an inkling of how vulnerable many large commercial databases would turn out to be.

But as consumer health data has gone digital — and average people have become more aware of the extent to which data breaches can affect their lives — they’ve grown more worried, and for good reason. As a series of spectacular data breaches within health plans has illustrated, both their medical and personal data might be at risk, with potentially devastating consequences if that data gets into the wrong hands.

Considering that these concerns are not only common, but pretty valid, federal authorities who have collected information on millions of insurance customers need to be sure that they’re above reproach. Unfortunately, this doesn’t seem to be the case.

According to an Associated Press story, the administration is storing all of the data in a perpetual central repository known as MIDAS. MIDAS data includes a lot of sensitive information, including Social Security numbers, birth dates, addresses and financial accounts.  If stolen, this data could provide a springboard for countless case of identity or even medical identity theft, both of which have emerged as perhaps the iconic crimes of 21st century life.

Both the immensity of the database and a failure to plan for destruction of old records are raising the hackles of privacy advocates. They definitely aren’t comfortable with the ten-year storage period recommended by the National Archives.

An Obama Administration rep told the AP that MIDAS meets or exceeds federal security and privacy standards, by which I assume he largely meant HIPAA regs. But it’s reasonable to wonder how long the federal government can protect its massive data store, particularly if commercial entities like Anthem — who arguably have more to lose — can’t protect their beneficiaries’ data from break-ins. True, MIDAS is also operated by a private concern, government technology contractor CACI, but the workflow has to impacted by the fact that CMS owns the data.

Meanwhile, growing privacy breach questions are driven by reasonable concerns, especially those outlined by the GAO, which noted last year that MIDAS went live without an in-depth assessment of privacy risks posed by the system.

Another key point made by the AP report (which did a very good job on this topic, by the way, somewhat to my surprise) is that MIDAS’ mission has evolved from a facility for running analytics on the data to a central clearinghouse for data sharing between CMS and health insurance companies and state Medicaid organizations. And we all know that with mission creep can come feature creep; with feature creep comes greater and greater potential for security holes that are passed over and left to be found by intruders.

Now, private healthcare organizations will still be managing the bulk of consumer medical data for the near future. And they have many vulnerabilities that are left unpatched, as recent events have emphasized. But in the near term, it seems like a good idea to hold the federal government’s feet to the fire. The last thing we need is a giant loss of consumer confidence generated by a giant government data exposure.

Were Anthem, CHS Cyber Security Breaches Due to Negligence?

Posted on February 19, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Not long ago, health insurance giant Anthem suffered a security breach of historic proportions, one which exposed personal data on as many as 80 million current and former customers. While Anthem is taking steps to repair the public relations damage, it’s beginning to look like even its $100 million cyber security insurance policy is ludicrously inadequate to address what could be an $8B to $16B problem. (That’s assuming, as many cyber security pros do, that it costs $100 to $200 per customer exposed to restore normalcy.)

But the full extent of the healthcare industry hack may be even greater than that. As information begins to filter out about what happens, a Forbes report suggests that the cyber security intrusion at Anthem may be linked to another security breach — exposing 4.5 million records — that took place less than six months months ago at Community Health Systems:

Analysis of open source information on the cybercriminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant Anthem suggests the attackers may have first gained a foothold in April 2014, nine months before the company says it discovered the intrusion. Brian KrebsAnthem Breach May Have Started in April, 2014

Class action suits against CHS were filed last August, alleging negligence by the hospital giant. Anthem also faces class action suits alleging security negligence in Indiana, California, Alabama and Georgia. But the damage to both companies’ image has already been done, damage that can’t be repaired by even the most favorable legal outcome. (In fact, the longer these cases linger in court, the more time the public has to permanently brand the defendants as having been irresponsible.)

What makes these exploits particularly unfortunate is that they may have been quite preventable. Security experts say Anthem, along with CHS, may well have been hit by a well-known and frequently leveraged vulnerability in the OpenSSL cryptographic software library known as the Heartbleed Bug. A fix for Heartbleed, which was introduced in 2011, has been available since April of last year. Though outside experts haven’t drawn final conclusions, many have surmised that neither Anthem nor CHS made the necessary fix which would  have protected them against Heartbleed.

Both companies have released defensive statements contending that these security breaches were due to tremendously sophisticated attacks — something they’d have to do even if a third-grade script kiddie hacked their infrastructure. But the truth is, note security analysts, the attacks almost certainly succeeded because of a serious lack of internal controls.

By gaining admin credentials to the database there was nothing ‒ including encryption ‒ to stop the attack. The only thing that did stop it was a lucky administrator who happened to be paying attention at the right time. Ken Westin – Senior Security Analyst at Tripwire

As much these companies would like to convince us that the cyber security breaches weren’t really their fault — that they were victims of exotic hacker gods with otherworldly skills — the bottom line is that this doesn’t seem to be true.

If Anthem and CHS going to point fingers rather than stiffen up their cyber security protocols, I’d advise that they a) buy a lot more security breach insurance and b) hire a new PR firm.  What they’re doing obviously isn’t working.