DISCLAIMER: This post is not partisan, but rather focuses on risk assessment based on history and what threats we are facing in the future. We do not endorse any healthcare plan style in any way, outside of examining its data security risk.
For many folks, the term ‘Healthcare for All’ brings up an array of emotions ranging from concern to happiness, and with the changes that come with this policy, we’re not surprised. However, beyond the usual arguments on this subject, we wanted to ask the question: Are there any security risks we need to be worried about if the United States were to switch to ‘Healthcare for All’ policies?
To clarify, there are many healthcare for all style plans currently on paper, being fine-tuned in Washington and in the minds of politicians. So, for the purposes of this article, we’re referring to ‘Healthcare for All’ plans that are meant to replace, not supplement, private insurance plans in addition to legislation that prohibits private insurance companies from collecting and/or storing patient data.
‘Healthcare for All’ data security
To start, we’re going to examine the government’s track record of securing patient data. Since we aren’t living in a world where ‘Healthcare for All’ exists in our country, we’ll use data security practices concerning Heatlhcare.gov and the department that runs it, the Centers for Medicare and Medicaid Services (CMS) to get a sense of how well patient data might be secured by government departments.
The Healthcare.gov website had a bumpy start back in October of 2013. Numerous issues resulted only a small percentage of patients being able to sign up with the website in the first week.
In an article posted by the Associated Press, as well as independent investigations by the Electric Frontier Foundation (EFF), it was discovered that healthcare.gov was sending personal data to third parties by putting personal information in data request headers.
Later, In September 2015, the Department of Health and Human services (HHS) inspector general completed a federal audit of CMS and the Healthcare.gov website. Their primary concerns were not about patient information being compromised, but rather the breach of a database called MIDAS that stored a lot of personally identifiable information about users of Healthcare.gov. Namely that this database had numerous high severity vulnerabilities that needed to be patched and that overall, health officials didn’t utilize best practices across the entire system.
Finally, in 2018, the U.S. Government Accountability Office conducted a survey of the Centers for Medicare and Medicaid Services to assess its ability to protect Medicare data from external entities.
According to HippaJournal.Com:
“The study had three main objectives: To determine the major external entities that collect, store, and share Medicare beneficiary data, to determine whether the requirements for protection of Medicare data align with federal guidance, and to assess CMS oversight of the implementation of those requirements.”
Turns out that while there are some requirements in place to ensure that certain entities are cleared for access to this data, there are some who are not and therefore could abuse the data they gain access to! There are three main groups that access Medicare beneficiary data, either Medicare Administrative Contractors (MACs), who process Medicare claims, research organizations, and entities that use claims data to assess the performance of Medicare service providers.
Unfortunately, only the processes for clearing access to this data for MACs and service provider entities are in line with federal guidance, which is designed to be used for all CMS contractors. Researchers, on the other hand, aren’t considered CMS contractors. Basically, the oversight required by federal regulation on access to this data was previously applied to only 2/3rds of all users who could access that data, so there is no guarantee that the data was fully protected.
While we listed out numerous instances of government controlled patient data being put into compromising positions, reports of lost medical data from government-controlled systems are actually very small. I couldn’t find anything that blamed the CMS or HHS for a data breach.
Private Insurance data security
The luck of not having much, if any, medical data breached despite numerous occasions of unpatched vulnerabilities being identified for healthcare.gov and it’s controlling department doesn’t quite extend to the private insurance world.
In July 2019, Premera Blue Cross, an insurance company for the Pacific Northwest of the U.S, agreed to pay a settlement of over $10 million to numerous state offices. Premera suffered a massive data breach that exposed the data of more than 10 million patients in 2015. The press release from the Washington State Office of the Attorney General claims:
“From May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.”
In addition to that, there were complaints that Premera mislead consumers about the breach and the full scope of potential damage that could be done.
In October of 2018, an employee with Blue Cross Blue Shield of Michigan lost a laptop that had customer’s personal medical data saved on it. The company jumped into action and worked with a subsidiary to change the access credentials to the encrypted laptop and to their knowledge, there is no evidence that the patient data was compromised, however, according to CISOMag:
“The access information includes the member’s first name, last name, address, date of birth, enrollee identification number, gender, medication, diagnosis, and provider information. Blue Cross clarified that the Social Security numbers and financial account information were not included in the accessible data.”
Finally, in 2019, Dominion National insurance identified than an unauthorized party may have been able to access internal severs, as early as August 2010! According to a press release:
“Dominion National has undertaken a comprehensive review of the data stored or potentially accessible from those computer servers and has determined that the data may include enrollment and demographic information for current and former members of Dominion National and Avalon vision, as well as individuals affiliated with the organizations Dominion National administers dental and vision benefits for. The servers may have also contained personal information pertaining to plan producers and participating healthcare providers. The information varied by individual, but may include names in combination with addresses, email addresses, dates of birth, Social Security numbers, taxpayer identification numbers, bank account and routing numbers, member ID numbers, group numbers, and subscriber numbers.“
These were three examples of breaches that occurred to actual health insurance companies, not third parties or government-controlled healthcare organizations. In two of these instances, the attacker maintained a foothold on the network for over a year (9 years in Dominion’s case!) and in another instance, someone just lost a laptop full of patient data (the same thing happened to the Department of Homeland Security & The Department of Health & Human Services over the last few years. We need to just tape our laptops to our bodies like a tourist with a passport!)
Why neither of these is the problem
Okay, so which is it? Is it more secure to entrust our government with control of patient data, or are we in better hands with private insurance companies? The reality is, neither one matters because neither is the actual problem.
It’s not the organizations that we depend on to protect our data that are being breached as much as the third-party organizations they work with. From mailing services to labs to billing organizations, most of our patient data breaches are happening to organizations who don’t have any real need to hold on to our data, which may be why they fail to secure it.
Third party breaches
In September of this year, Detroit-based medical contractor, Wolverine Solutions Group (WSG), was breached, resulting in the possible compromise of hundreds of thousands of patients nationwide. WSG provided mailing, as well as other, services to hospitals and healthcare companies. They were hit by a Ransomware attack which resulted in data that belonged to numerous healthcare organizations patients being ransomed.
While the investigation into the attack hasn’t resulted in any evidence that data has been stolen, in a quote of WSG President Darryl English in the Detroit Free Press:
"Nevertheless, given the nature of the affected files, some of which contained individual patient information (names, addresses, dates of birth, Social Security numbers, insurance contract information and numbers, phone numbers, and medical information, including some highly sensitive medical information), out of an abundance of caution, we mailed letters to all impacted individuals recommending that they take immediate steps to protect themselves from any potential misuse of their information,"
Despite their belief that no patient data was obtained, the same article by the Detroit Free Press describes the case of Tyler Mayes of Oxford, who has identified numerous fraudulent medical charges on his credit report:
“I haven't been put under the knife in four years," he said. "So I had a phantom surgery that not even I knew about? I have received no bills in the mail, and have received no phone calls. I have no emails. They just randomly appeared on my credit report. "I think they're not letting out as much out of the bag as they've got in there," Mayes said of the Wolverine Solutions Group breach.
In May, Spectrum Health Lakeland started sending out letters to about a thousand of their patients, because their billing services company (OS, Inc) was breached, resulting in the possible theft of patient names, addresses and health insurance providers, but not social security and driver’s license numbers (the bad guys will have to find that somewhere else I guess.)
According to an article for MLive Michigan that covers the breach:
“Billing services company OS, Inc. confirmed Wednesday , May 8, an unauthorized individual accessed an employee’s email account that held information related to some Spectrum Health Lakeland patients, according to a Spectrum Health news release.”
A successful phishing attack against the employees of Solara Medical Supplies, reported in mid-November, lead to a breach that lasted almost a year and resulted in the loss of employee names and potentially addresses, dates of birth, health insurance information, social security numbers, financial and identification information, passwords, PINs and all kinds of other juicy data.
However, a big concern about the breach of employee e-mail accounts for a third-party vendor is the possibility for attackers to use those infected systems as staging areas to launch additional malicious phishing attacks using e-mail addresses from employees of Solara.
Finally, an ongoing investigation by the Securities and Exchange Commission that started May 2019 identified that American Medical Collection Agency (AMCA) was breached for eight months between Aug 2018 and March 2019.
Actual numbers of affected patients are still being worked out, however according to Health IT Security, at least six covered entities have reported that their patient data was compromised by the attack. This includes patient information from 12 million folks who have utilized Quest Diagnostics and 7.7 million Labcorp patients.
“And just this week a sixth provider, Austin Pathology Associates, reported at least 46,500 of its patients were impacted by the event. Shortly after, seven more covered entities reported they too were impacted: Natera, American Esoteric Laboratories, CBLPath, South Texas Dermatopathology, Seacoast Pathology, Arizona Dermatopathology, and Laboratory of Dermatopathology ADX.”
When known affected patients’ tallies are added together, approximately 25 million patients have had their data compromised thanks to this attack. There are still providers who are figuring out the full extent so you can rest assured that the number is likely going to rise.
So, coming back to our original question, it looks like our biggest problem with keeping control of medical data is that it’s spread out all over the place! A ‘Medicare for All’ plan may reduce breaches to some extent because you’ll remove a few companies that could possess the data, however, just based on our own research in this article, often we see greater success by cybercriminals breaching third-party medical vendors than going after government or established insurance companies.
What is being done?
If this is your first-time hearing about the potential dangers of third-party data sharing, don’t fret, because politicians are on it! A first step in taking action to curb data theft is to establish a department specifically for digital privacy—an idea introduced this month by Rep Anna G. Eshoo [D-CA-18]. The Online Privacy Act of 2019 was introduced to the U.S. House of Representatives in early November.
The purpose of the bill is:
”To provide for individual rights relating to privacy of personal information, to establish privacy and security requirements for covered entities relating to personal information, and to establish an agency to be known as the United States Digital Privacy Agency to enforce such rights and requirements, and for other purposes.”Online Privacy Act of 2019
There are some politicians who are against this bill and want to continue to have the Federal Trade Commission be the department concerned with digital privacy, however we can see how well that is going.
Beyond just a new department for privacy, Senator Mark R. Warner [D-VA] has called out new legislation on patient data sharing to put in more language about the importance of establishing controls and security in the development of technologies that allow patients greater insight into their Electronic Health Record (EHR). You can read about the legislation called the ACCESS act on our blog as well.
The proposed legislation from the Department of Health and Human Services (HHS) requires insurers participating in CMS-run programs, like Medicare, to allow patients to access their health information electronically. They plan to do this by establishing an Application Programming Interface (API) that third-party vendors can utilize to obtain data and make it viewable to the patient.
Sen. Warner, who has been a huge advocate for privacy and security, wrote a letter to the legislation authors, asking for a serious focus on the security of that API so it’s not abused. In the letter he states:
“…I urge CMS to take additional steps to address the potential for misuse of these features in developing the rules around APIs. In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had a profound impact across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security…”Senator Mark R. Warner [D-VA]
We don’t know what help these efforts will provide in the long run, but we are in a good position to start really discussing the dangers and solutions to problems concerning digital healthcare data, specifically it’s uses and abuse.
Now that we’ve covered all that, did we answer our question? Does ‘Medicare for All’ have any impact on data security? It looks like the answer is no, regardless of the health plan we use, the data is going to continue to be vulnerable, in large part because of third-party sharing.
Neither the government nor private health insurance have a perfect score when it comes to data security, however both have been affected by third-party breaches. In the case of private insurance companies, breaches like that at OS, Inc. circumvented all efforts made by Blue Cross and other insurance companies to protect their patient data. At the same time, government health care technology has been riddled with misconfigurations and poor practices that frankly make it a miracle that data hasn’t already been completely harvested by cyber criminals.
The good news is that every attack brings the knowledge of how to avoid one in the future. Our health data is more secure now than any other point of digital healthcare record history, and it’s only going to get better! With the backing of government legislation on the protection of not just medical data, but how it’s transferred and stored, we can turn this whole thing around.
Unfortunately for the millions of patients who have had their personal data stolen and likely stored away in the databases of numerous criminals, and those who are likely going to have to deal with fraud and theft by criminals because of it for the foreseeable future, we are the broken eggs in this security omelet. Let’s hope the next group fare better.