So if the crooks already have our identities, why are we spending huge sums to “protect” what already vanished? Are we, like the proverbial farmer, locking the barn door after a thief stole our horse?
Before answering these questions, we should examine some contributing factors. First, there is a general societal trend focusing on transparency, public access and social media presence mandating widespread data sharing. At their core, these societal forces are intrinsically and philosophically opposed to strict security, identity protection and privacy.
Second, security in a digital world by definition focuses on IT. Today we create, manage, transmit, store, secure – and steal – almost everything of value electronically. Therefore, it is virtually impossible to discuss security in any setting without involving IT. In our modern world, one or two sovereign and personal numbers identify us, e.g., one’s Social Security Number (SSN) and one’s data of birth. Cyber criminals find this information particularly valuable because it uniquely identifies so many of us.
Third, just as it is in all other industries, the primary value in stolen health IT data is financial – but health care adds some unique variables: an almost universal scope of individuals, an exponentially growing volume of available data, and a rapidly growing number of daily transactions involving a staggering amount of money. This information “goldmine” tempts not just disgruntled employees and those who otherwise simply cannot afford the high cost of health care, but those taking advantage of the system to amass significant financial gain.
Fourth, in addition to financial value, health data has political value – particularly in the court of public opinion. Leaking information on a public servant’s past treatment for mental illness, drug addiction or alcoholism, for example, can severely damage or end a career. Taken to a logical extreme, it can potentially change or at least steer the future. Health identity theft can also cause social, family, economic or cultural harm. Consider the adverse impact of disseminating information on a specific disease or condition, such as AIDS, Ebola or MERS.
Fifth, there is a potential health risk to individuals. Suppose the identity stolen is of a young person in good health – for example, my 20-year old son was a victim of identity theft in the Anthem breach. The thief uses the stolen information to obtain medical services – an elective surgical procedure, for example. As part of that care, the provider assesses the thief’s blood type (because there may be a need for a blood transfusion) and the provider records the type in the medical record. The thief has the procedure and the identity theft victim’s insurance covers the cost. Now some months or even years later (and assuming the victim failed to monitor inappropriate insurance claims) the identity theft victim enters the hospital, his medical record falsely informs the care provider of the patient’s blood type, the provider orders a mismatched transfusion and the patient risks a fatal reaction. Such a scenario could be disastrous for the patient. And the potential liability to caregivers is correspondingly significant. 1
Finally, a central tenet of IT security is protecting information systems against unauthorized access. We currently invest significant dollar amounts on breach prevention, yet the numbers reveal this protection as an illusion. We live in a post-secure world. Maintaining this security illusion does not provide a solution for data breach problems nor does it help us remediate or recover from already evident theft. One could easily argue that we are wasting money on ineffective prevention. Instead of focusing so much on prevention, we should spend more of our limited resources helping reduce the theft’s impact.
When prevention hardly works, establishing ineffective prevention protections, creating and running compliance-monitoring entities, and monitoring providers and payers are especially troubling. While we must punish cyber criminals, it is critical to focus our efforts on protecting and helping victims. This makes far more sense than continuing to pay exorbitant amounts for theft prevention, when the data is as good as stolen. A mechanism like the Health Insurance Portability and Accountability Act (HIPAA) does little for us. It is fundamentally about privacy, not security. While it does address part of the problem by penalizing organizations responsible for inadequately protecting data, we often fail to fully understand that it does not necessarily penalize the many perpetrators who actually committed the crime. 2 Of course, remedying this oversight means swallowing an uncomfortable truth, accepting the sanctity of our privacy, security, and identity as illusions.
We could focus on and invest in improved remediation. As an example, we all too often offer remedies that are nowhere near enough. As an “apology” we frequently provide insufficient free credit monitoring for one to two years. What about 5, 10 or 15 years from now? And what about the non-financial impact – like preventing life-threatening health events as in the earlier example of a mismatched blood transfusion and ensuing reaction?
We are not suggesting discarding prevention efforts entirely. However, in this post-secure world other perspectives are necessary. Philosopher R. H. Blyth put it best: “perfection means not perfect actions in a perfect world, but appropriate actions in an imperfect one.” 3
In other words, we cannot entirely (or perhaps even partially) prevent data breaches and ensuing identity theft.
Whatever level of pre-theft protection we employ is at best a deterrent for the alienated novice, but not the experienced hacker, e.g., organized crime or nation states like China. Posturing and reassurances sound good in the sales brochure, but those are empty promises. Likewise, complicated and expensive prevention regulations and the corresponding cost of understanding and implementing them take valuable resources away from actually solving the problem. So what is appropriate? What is possible? Making the theft less meaningful, reducing the impact on victims, and focusing our resources and energy where they are most needed and of greatest benefit.
Penalizing slow detection, as opposed to disclosure time, could incentivize organizations to proactively engage their customers in faster remediation activities like credit reporting. Compliance audits might force organizations to financially reimburse their customers for the services rendered (e.g., inappropriate charges incurred due to stolen identity) in a timely and non-confrontational manner. Any option we choose is fraught with risk and varying degrees of effectiveness. But focusing on how any option manages the balance between confidentiality, integrity and availability is a good way to evaluate alternatives.
In summary, we must begin by asking what we really want and what we really need, instead of implementing stopgap measures that are merely illusions on top of illusions. We should focus on safeguarding everyone, since we should assume we are all identity theft victims. And if privacy and security are really our concerns, we could enforce lifetime financial and medical identity “credit” monitoring as the responsibility of those who failed to secure that identity and anyone convicted of the theft. As a corollary to the idea of affordable health care, we should act with intent by automatically providing every person with the means to monitor their privacy, security, and identity, and never assume that those who can afford those services or those that are victims are the only ones worth protecting.
Is prevention worthwhile for health IT security? Certainly. It is extremely important. But remediation is a greater goal given prevention does not really work. Furthermore, remediation will help us achieve the triple aim of improving care quality, lowering cost and increasing patient satisfaction. So instead of blindly wasting massive expenditures locking the barn door to protect a stolen horse, let’s shift some of that investment into one more dimension of helping change quality of life for health care recipients, for the better.
- Dolan, Pamela L., August 6, 2012. Medical ID theft: Double danger for doctors. American Medical News (website. Retrieved from: http://www.amednews.com/article/20120806/business/308069950/4/ ↩
- Gellman, Robert, October 2006. Crimes and Sanctions: Current Controversies over HIPAA’s Criminal Penalty. Journal of the American Health Information Management Association (AHIMA), Volume 77, Number 9 ↩
- Blyth, R. H., Zen and Zen Classics: From the Upanishads to Huineng. The Kokuseido Press, Tokyo, and Charles E. Tuttle Co., Inc., Rutland, Vermont. 1960 ↩
Tags: cyberattack, cybersecurity, health identity theft, HIPAA, HIT, identity theft victims, personal health information, security breach, theft prevention, theft prevention costs. Bookmark the permalink.