How the Affordable Care Act Impacted Cyber Security for HealthCare Providers
The Affordable Care Act, also known as “Obamacare” came into play in March of 2010. The three primary goals of the Affordable Care Act were:
- Make affordable health insurance more readily available: the law actually provides consumers with premium tax credits that lower to costs of insurance within household where income are between 100% and 400% of the federal poverty level
- Expand the Medicaid program to cover all adults that have an income below 138% of the federal poverty level
- Support innovative medical care delivery methods that have been designed to lower the costs of healthcare generally across America
The act put the interest of consumers first, however with its data collection, exchange and storage, it came with an new cyber security risk. The new-found reliance on data that came with Obamacare, ultimately increased “the importance and challenge of implementing good information security in healthcare environments.” Unfortunately, however, “information security was largely only viewed as an afterthought” during the uprising of healthcare technology.
Medical identity theft can be dangerous on a personal level, which breaches of health information can have serious economic consequences for providers. It is therefore quintessential for healthcare providers to have proper security in place in order to protect their customers and themselves. A data breach in any industry is hugely expensive: “efforts and expense associated with investigation, forensics, mitigation of damages, lost good will and reputation, billing problems, and the monitoring and untangling of consumer credit” – it all adds up. But within healthcare, compromised data can also contribute to a far more insidious problem: poorer health outcomes.
2017 has seen a number of cyber attacks within healthcare, so it’s no longer a matter of if and when, but rather what does this mean and how do we stop it. Even that is coming years too late. Most recently, US hospitals came under attacks from the global ransomware attack in June that affected computers across the globe, demanding users to pay a $300 bitcoin to restore access.
The Ponemon Institute published their Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data and in it stated that in 2016 alone, 65% of represented healthcare organizations experienced electronic-based security incidents. The paper also reported that as a whole, healthcare providers don’t appear to be very confident in their abilities to detect and respond to security breaches, with 49% agreeing they have sufficient technologies to effectively prevent or quickly detect breaches.
The Affordable Care Act meant that far more data was being stored digitally, which lead to healthcare providers facing a rapidly changing threat landscape. The Ponemon Institute study concluded its findings stating that:
“Healthcare organizations manage a treasure trove of financially lucrative personal information, and health organizations don’t have the technologies to prevent and detect attacks and adequately protect patient data”.
However healthcare providers are developing their techonologies, just not fast enough. And this gives hackers ample opportunity to attack by targeting vulnerabilities.
This all comes down to data, and the need for healthier data. The Affordable Care Act was the motor that got the engine running and exposed the vulnerabilities within the healthcare industry, however the development of the challenge of information security for healthcare providers was inevitable, no matter the act.
Search Security reports that “the role of information security in healthcare has taken on even more importance because of the Affordable Care Act” as electronic medical record systems were deployed rapidly in order to keep up. While we agree the Affordable Care act played a role in highlighting vulnerabilities and weaknesses in technology, stronger technology that have been configured with a priority on information security should be at the forefront of healthcare providers, no matter what, in order to protect both the provider and patients.
Healthcare providers deployed technology that lacked basic security controls which opened the door to hackers and attackers – after all medical identity theft is a lucrative business, and the lack of security made it an easy one too.
As LexisNexis discusses, risk management is essential to every organization, especially within the healthcare industry. It may well be impossible to prevent every single incident or data breach, good security management programs can help “build a culture of concern, determine potential exposure, and appropriately manage risk to an acceptable level. This, in turn contributes to better individual and community health outcomes by building patient trust and maintain the integrity of health records.”