Healthcare.gov users could receive false assurances or false alarms if organizations handling their personal information are hit by hackers and required to notify victims within two days, federal advisers and recent government audits suggest.
Meaningful details typically take weeks for forensics specialists to piece together, based on past cases.
Earlier on Friday, the House approved a measure that would compel the Health and Human Services Department to inform consumers within two business days of discovering a breach of personal data.
Current electronic medical records legislation gives most healthcare-related organizations maintaining personal information up to 60 days to alert victims. A measure promoted by the White House and the Senate Judiciary Committee for years would apply the 60-day rule to all businesses, for cases like the recent Target breach. On Wednesday, Committee Chairman Sen. Patrick Leahy, D-Vt., reintroduced the bill.
As for a two-day deadline to notify HealthCare.gov hack victims, "I do think it's unrealistic," said Deven McGraw, who HHS Secretary Kathleen Sebelius appointed in 2009 to serve on an advisory committee that recommended standards for the exchange of patient medical information.
"Important details such as exactly whose information was involved, what kind of information, etc., typically get uncovered through detailed investigations, which don't begin until after initial hints of a breach are discovered," she said.
An individual immediately warned might turn out to unaffected -- or vice versa, said McGraw, director of the Health Privacy Project at the Center for Democracy and Technology. "To make notification meaningful for consumers, you have to give industry some reasonable period of time to investigate," and in some cases, mitigate the damage.
Certain health care related organizations are exempted from the 60-day rule, if disclosing specifics could harm ongoing investigations.
The new House legislation is expected to stall in the Senate, as have most efforts to rein in Obamacare.
Federal agencies today are required to inform the U.S. Computer Emergency Readiness Team, part of the Homeland Security Department, about cyber events within an hour. But, according to an audit released this week, complete information from most incidents takes days or months to compile. "US-CERT officials stated they can generally do little with the information typically available within 1 hour and that receiving the information at a later time would be just as useful," the Government Accountability Office reported.
For example, after learning in April 2012 that a hacker attacked a contractor’s computer, it took the Federal Retirement Thrift Investment Board more than two months to verify which individuals were affected and then notify the 123,000 federal employee retirement plan participants. An hour after confirming the hack affected personal information, agency officials were still in the process of determining how much information and the extent of the risk, according to the GAO.
Get the Nextgov iPhone app to keep up with government technology news.