recommended reading

Standards body releases e-health hack calculator

Faced with the reality that health care data breach legislation is unlikely to emerge, the American National Standards Institute on Monday set forth a financial reason for providers to protect their patients' online privacy.

The cost of patient data losses during the past year ranged between $8,000 and $300,000 per health care organization, mostly due to credit or identity theft monitoring and forensic and legal fees, according to a new report from the standards body.

A December 2011 study by Ponemon Institute LLC found that 96 percent of health care providers had suffered at least one breach during the past two years.

There is growing consensus that current health care privacy legislation is inadequate for safeguarding patient data on the Internet. The Obama administration has set rules to cover gaps in the 1996 Health Insurance Portability and Accountability Act that address the improper reuse of data by medical business partners, and the economic stimulus package also added e-health care protections.

According to the ANSI study, the complexity of these regulations is partly to blame for a lack of compliance. In addition, privacy activists note that the new rules cover only the contractors of doctors and health plans and not commercial online health records, Internet companies and app developers.

Data breach protections for personal health information are not in either the Democratic or Republican versions of pending comprehensive cybersecurity reforms.

"Moving legislation through Congress in this area is probably going to be pretty difficult," said Larry Clinton, president of Internet Security Alliance, a trade group that partnered with ANSI on the report. He said a sophisticated cost analysis of a breach scaled to the size of a provider's practice might be a better motivator to improve health care security.

When asked to name the most significant barriers to maintaining the privacy and security of patient information, 59 percent of the more than 100 ANSI study participants who responded cited a lack of funding. More than 100 health care industry participants responded.

"The regulated industry felt that the laws were so complex that they were impossible to comply with," said James C. Pyles, a Washington health care lawyer and lobbyist who helped lead the study. The regulations "are not preserving the public's trust and not giving the industry a fair shake."

In reaction to federal and state laws, one respondent said, "we do not have the employee resources or the funds to deal with additional federal regulations."

The federal government is shoveling more than $25 billion into incentives for the health care industry to adopt digital medical records.

In medical identity theft, scammers steal either physician identification numbers or patient ID information to fraudulently bill for medical services. ANSI provided the example of a clerk in a Florida medical clinic who lifted the medical IDs of 1,100 patients and then sold them to others, triggering $2.8 million in false Medicare claims.

Just last fall, Science Applications International Corp. admitted to exposing the health care records of 4.9 million Military Health Care System beneficiaries, when computer tapes were stolen from an SAIC employee's car, the federal contractor admitted.

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.