There’s not enough incentive to keep health care data safe

The grim message following a breach that has endangered sensitive data belonging to 80 million current and former Anthem health insurance customers is that we can only expect more — and potentially larger — health care data breaches in the future.

The Anthem data breach, first detected on Jan. 27 — the largest in the history of the health care industry — fits a clear trend. In 2008, the U.S. Department of Health and Human Services recorded 13 breaches involving data belonging to 500 or more patients. By 2013, the number grew to 256, according to a Brookings Institution analysis of a list of health care data breaches the federal government is required to maintain. The number of people affected by such breaches — from thefts of individual laptops and servers to sophisticated database hacks — rose from about 500,000 in 2008 to 9 million six years later.

Customer data will always be vulnerable to breaches since hackers inevitably find ways around even the most stringent security controls. But maximum security is critical; the institutions entrusted with storing our data have a responsibility to protect it.

Companies operating in competitive markets have an incentive to employ the most stringent controls as a way of building customer trust. They could lose their customers following a breach. After Target revealed in December 2013 that 40 million of its customer accounts had been hacked, the retail giant saw a drop-off in business.

But customers can’t make those switches as easily in health care, dulling the incentive for insurers and health care providers to make it a priority to keep customer data safe. Anthem, for example, didn’t encrypt Social Security numbers and other customer data that hackers managed to breach. While encryption wouldn’t have prevented a breach on its own, it’s one security protocol of many that companies such as Anthem can employ to shield sensitive data.

About half of Americans have health insurance through their employers, and the employer or benefits manager chooses the insurer, not the individual. In states’ individual insurance markets, there’s often a limited number of insurers to choose from. If a breach is revealed after patients have signed up for insurance, they’ll generally have to wait for the next open-enrollment period to switch insurers. And when it comes to health care providers, there often aren’t many close-by options.

This setup traditionally put health insurers in a position in which the constituencies they appealed to were insurance brokers and human resources directors rather than consumers.

In the absence of a market incentive to employ maximum security, there’s also little regulatory incentive. Under HIPAA, the federal law that governs patient privacy, the maximum fine for willful negligence with sensitive data is $1.5 million — a tiny fraction of Anthem’s $2.5 billion profit in 2014. (HIPAA also doesn’t require data encryption. It “strongly encourages” it and requires companies that don’t encrypt to explain why and use an equivalent alternative.)

Fortunately, health insurers are gradually experiencing a greater market incentive to build trust with consumers directly. Through the Affordable Care Act, as Anthem CEO Joseph Swedish has pointed out, consumers are more often directly choosing insurers through healthcare.gov and state-run insurance exchanges. In Maine, about 80 percent of people buying insurance through healthcare.gov for 2014 chose Lewiston-based Maine Community Health Options over Anthem.

Much of the security of our personal data depends on businesses implementing proper and common-sense protocols to protect their databases. But states and the federal government can’t rely on market incentives alone to compel the best data security practices.

The federal government, currently at a standstill when it comes to addressing cybersecurity, could start with progressively stiffer fines depending on the size of health care data breaches. Governments can take enforcement of breach notification laws seriously — as many have. They can also start plotting out the most effective security practices and requiring companies in heavily regulated industries — think health care and utilities — to comply.

Hackers’ abilities will continue to evolve. So should cybersecurity laws.

——————————————————