Breached healthcare records down 72% but incident numbers steady. Then there’s MyFitnessPal’s 150 million…

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Hackermania in healthcare may be running less wild…but what about consumer health devices? Year-end and top-of-year analyses indicate that the flood of breached records may be starting to drain. A Bitglass analysis of 2017 US Department of Health and Human Services (HHS) data from its infamous ‘Wall of Shame’ is encouraging. They found that the number of breached records decreased over the 2015-2017 period by 72 percent between 2015 and 2017 and by 95 percent from 2016. The calculation excludes the huge spike in breaches due to two 2015 incidents at Anthem and Premera Blue Cross [TTA 9 Sep 15]. Numerically, the breach incident numbers decreased but are relatively steady: 2017 at 294, 2016 at 328. Data security company Protenus in its tracking found more incidents in 2017 versus 2016 (477 in 2017 v. 450 in 2016) but the same reduction in records affected, with five times fewer records in 2017 versus 2016’s 27.3 million records.

What’s been successful has been reducing mega-breaches and containment of healthcare device loss and theft through education and enforcement of employee practices. What continues is the major cause of breaches continue to be insider-related via error and wrongdoing; this includes the major annual Verizon report. Healthcare Informatics

Protenus’ February report, while continuing the reduction trend, had its share of hacking and insider incidents. Of the 39 incidents in their report affecting over 348,000 records, insider actions such as the misuse of system credentials accounted for 51 percent of breached records while hacks were 46 percent, with the majority involving ransomware or malware. Hacking as a cause hasn’t disappeared but perhaps has shifted to easier targets.

UnderArmour’s MyFitnessPal delivers another breach blow. Late last month, the company revealed that 150 million user records were hacked in February. The MyFitnessPal mobile app (more…)

Scary Monsters, Take 2: Amazon, Berkshire Hathaway, JPMorgan Chase’s addressing employee healthcare

Shudders through the US financial markets resulted from Tuesday’s Big Reveal of an Amazon-Berkshire Hathaway-JPMorgan Chase combine. Ostensibly they will be “partnering on ways to address healthcare for their U.S. employees, with the aim of improving employee satisfaction and reducing costs” and setting up an independent company “free from profit-making incentives and constraints. The initial focus of the new company will be on technology solutions that will provide U.S. employees and their families with simplified, high-quality and transparent healthcare at a reasonable cost.” This and the Warren Buffett quote about ballooning healthcare costs being a “hungry tapeworm” on the American economy have gained the most notice. Mr. Bezos’ and Mr. Dimon’s statements are anodyne. The company will initially and unsurprisingly be spearheaded by one representative from each company. The combined companies have 1.1 million employees. Release. CNBC.

There is a great deal in those lead quotes which is both cheering and worrisome. To quote a long time industry insider in the health tech/med device area, “What this tells me is finally, enough pain has been felt to actually try to do something. We need more of this.” This Editor notes the emphasis on ‘technology solutions’ which at first glance is good news for those of us engaged in 1) healthcare tech and 2) innovative care models.

But what exactly is meant by ‘technology’? And will they become an insurer?

What most of the glowing initial comments overlooked was the Absolute Torture of Regulation around American healthcare. If this combine chooses to operate as an insurer or as a PBM, for starters there are 50 states to get through. Each state has a department of insurance–in California’s case, two. Recall the Aetna-Humana and Cigna-Anthem mergers had to go through the gauntlet of approval by each state and didn’t succeed. PBM regulation varies by state, but in about half the US states there are licensing regulations either through departments of insurance or health. On the Federal level, there’s HHS, various Congressional committees, Commerce, and possibly DOJ.

Large companies generally self-insure for healthcare. They use insurers as ASO–administrative services only–in order to lower costs. Which leads to…why didn’t these companies work directly with their insurers to redo health benefits? Why the cudgel and not the scalpel?

Lest we forget, the Affordable Care Act (ACA, a/k/a Obamacare) mandated what insurance must cover–and it ballooned costs for companies because additional coverages were heaped upon the usual premium increases. Ask any individual buyer of health insurance what their costs were in 2012 versus 2017, and that’s not due to any tapeworm. Forbes

Conspicuously not mentioned were doctors, nurses, and other healthcare providers. How will this overworked, abused, and stressed-out group, on whose shoulders all this will wind up being heaped, fare? And what about hospitals and their future? Health systems? The questions will multiply.

Disruption is now the thing this year. Of course, shares of healthcare companies took a beating today, many of which do business with these three companies: CNBC names Cigna, Express Scripts, CVS, Aetna (themselves partnering for innovation), and UnitedHealthGroup. Amazon uses Premera Blue Cross (a non-profit). 

Because of Amazon’s recent moves in pharmacy [TTA 23 Jan], there is much focus on Amazon, but the companies with direct financial and insurance experience are…JPMChase and Berkshire Hathaway.

An Editor’s predictions:

  • Nothing will be fast or simple about this, given the size and task. 
  • The intentions are good but not altruistic. Inevitably, it will focus on what will work for these companies but not necessarily for others or for individuals.
  • An insurer–or insurers–will either join or be purchased by this combine in order to make this happen.

Hat tips to Toni Bunting and our anonymous insider.

Data breaches top 120 million since 2009 (US)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”200″ /]“The medical industry is years and years behind other industries when it comes to security.”–Dave Kennedy, TrustedSEC CEO.

We admire the Washington Post for arriving at the conclusion we did in 2010–that healthcare organizations are uniquely vulnerable to cyberattack because of the high value of patient data, and an often lighter level of HIT security. But now we get the finger wag that ‘it’s only going to get worse.’ (Beyond 120 million breached records?) Data security, of which HIPAA patient information protection is a part, wasn’t primary for years, especially in organizations overwhelmed with transitioning EHRs, getting EMRs to speak with EHRs, Meaningful Use, new care and payment models, 30-day readmissions and ‘oh, by the way, how will we get paid?’ The Premera Blue Cross (Washington state) breach of 11 million records was the second largest in healthcare history (after Anthem Health‘s February bunker buster of a breach). Most breaches are from stolen laptops or shared/easy to guess passwords (or none at all)–but these have not been in the millions. Premera’s theft took place on 5 May 2014 and was only discovered in January; it included SSIs, bank information, claims data, patient name/address and date of birth. Those affected were in California and Alaska primarily, but also included Federal employees.

But Premera can’t say they were not warned. The US Office of Personnel Management’s Office of the Inspector General (OPM OIG) independently audited Premera in April 2014 detailing several vulnerabilities, including a lack of timely patch implementations, a lack of methodology to “ensure that unsupported or out-of-date software is not utilized” and insecure server configurations, and the need to upgrade physical access controls in their data center. FierceHealthIT

Premera’s medical files data may expose other payers, which in turn may legally come after Premera, according to FierceHealthIT.

Only now are health systems and practices focusing on securing all information  (more…)