recommended reading

Standards body releases e-health hack calculator

Faced with the reality that health care data breach legislation is unlikely to emerge, the American National Standards Institute on Monday set forth a financial reason for providers to protect their patients' online privacy.

The cost of patient data losses during the past year ranged between $8,000 and $300,000 per health care organization, mostly due to credit or identity theft monitoring and forensic and legal fees, according to a new report from the standards body.

A December 2011 study by Ponemon Institute LLC found that 96 percent of health care providers had suffered at least one breach during the past two years.

There is growing consensus that current health care privacy legislation is inadequate for safeguarding patient data on the Internet. The Obama administration has set rules to cover gaps in the 1996 Health Insurance Portability and Accountability Act that address the improper reuse of data by medical business partners, and the economic stimulus package also added e-health care protections.

According to the ANSI study, the complexity of these regulations is partly to blame for a lack of compliance. In addition, privacy activists note that the new rules cover only the contractors of doctors and health plans and not commercial online health records, Internet companies and app developers.

Data breach protections for personal health information are not in either the Democratic or Republican versions of pending comprehensive cybersecurity reforms.

"Moving legislation through Congress in this area is probably going to be pretty difficult," said Larry Clinton, president of Internet Security Alliance, a trade group that partnered with ANSI on the report. He said a sophisticated cost analysis of a breach scaled to the size of a provider's practice might be a better motivator to improve health care security.

When asked to name the most significant barriers to maintaining the privacy and security of patient information, 59 percent of the more than 100 ANSI study participants who responded cited a lack of funding. More than 100 health care industry participants responded.

"The regulated industry felt that the laws were so complex that they were impossible to comply with," said James C. Pyles, a Washington health care lawyer and lobbyist who helped lead the study. The regulations "are not preserving the public's trust and not giving the industry a fair shake."

In reaction to federal and state laws, one respondent said, "we do not have the employee resources or the funds to deal with additional federal regulations."

The federal government is shoveling more than $25 billion into incentives for the health care industry to adopt digital medical records.

In medical identity theft, scammers steal either physician identification numbers or patient ID information to fraudulently bill for medical services. ANSI provided the example of a clerk in a Florida medical clinic who lifted the medical IDs of 1,100 patients and then sold them to others, triggering $2.8 million in false Medicare claims.

Just last fall, Science Applications International Corp. admitted to exposing the health care records of 4.9 million Military Health Care System beneficiaries, when computer tapes were stolen from an SAIC employee's car, the federal contractor admitted.

Threatwatch Alert

Network intrusion / Software vulnerability

Hundreds of Thousands of Job Seekers' Information May Have Been Compromised by Hackers

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.