Making sense of health care is always a challenge. But this year presented me with a new wrinkle: I had to also become knowledgeable about IT security.
When Indianapolis-based health insurer Anthem Inc. revealed Feb. 4 that nearly 80 million patient records had been stolen from its computers, I had to figure out what was up and what was down in IT security—really fast.
But it’s not just Anthem. The health care industry—never an IT leader in anything—has been shown this year to have screen doors for cyber security.
In Indiana alone this year, St. Vincent Health has been breached—three times—exposing 68,000 patient records; Aspire Indiana, which operates mental health centers, lost a laptop with more than 43,000 patient records; the Indiana State Medical Association had more than 38,000 patient records on two backup drives stolen; and Fort Wayne-based Medical Informatics Engineering had 3.9 million patient records stolen by hackers.
A report released Thursday by the American Action Forum estimated that the cost to deal with just the first six months of security breaches at health care organizations this year to be more than $37 billion.
That’s billion, with a “B.”
The D.C.-based American Action Forum is a conservative policy group led by former Congressional Budget Office Director Douglas Holtz-Eakin. It generated that figure by using cost per stolen record, which was estimated at $398 this year by the Ponemon Institute, based on its analysis of the clean-up efforts in 1,600 actual data breach cases.
The American Action Forum then multiplied that number by the total number of records stolen from health care entities this year—94 million—to arrive at a grand total cost of $37.4 billion.
I think that number is too high. It assumes the Anthem breach, by itself, will cost more than $31 billion to deal with. But since the scale of the Anthem breach dwarfs any previous breach of a health care organization, it's likely Anthem's cost per record will be lower than the average.
But even if the cost of the Anthem breach is $20 billion less than the American Action Forum's methodology assumes, that still means the cost of all health care data breaches this year would be more than $17 billion.
That lower estimate would also mean the total cost of breaches since 2009 would be about $30 billion, according to American Action Forum’s estimates.
To put that in perspective, American Action Forum noted that since the 2009 stimulus bill, the federal Medicare program has paid just more than $30 billion in subsidies to help doctors and hospitals—at long last—digitize their medical records.
So the federal government spent $30 billion over the past six years to spur the digitization of health care. And since then health care organizations are estimated to have spent that same amount to clean up data breaches due—not exclusively but in many cases—from the digitization of health care records.
“Widespread use of electronic medical records could bring beneficial change to the health care system in a variety of ways, largely because they are the foundational piece to many technologies and analyses that could change health care delivery,” wrote Tara O’Neil, a health care policy analyst at the American Action Forum. “Unfortunately,” she added, “these advances come with significant costs, both financially and in terms of personal privacy.”
The health care industry suffered 333 data breaches last year, up from just 16 data breaches in 2005, according to statistics from the Identity Theft Resource Center.
These estimates are the latest black eye for electronic medical records, which have been shown to reduce doctor’s productivity and raise medical spending—exactly the opposite outcomes of what was supposed to happen.
The rash of data breaches can’t be blamed entirely on the adoption of electronic medical records—which is, by the way, something everyone agrees is a step in the right direction. After all, the digital records stolen from Anthem dated back 10 years—well before the ramp-up of digital records at doctors and hospitals.
But the breaches are a sign that while health care is getting IT religion, it still has major policy challenges to work out.
A big one is the industry’s use of Social Security numbers to identify patients. There have been calls over the years to adopt a system of National Patient Identifiers, which would be numbers used solely for health care things—not for taking out loans and filing tax returns. So the allure of such information to cyber thieves would be greatly reduced.
In fact, the 1996 legislation known as HIPAA (Health Information Portability and Accountability Act) called for a national patient identifier. But the Clinton administration said it would not implement such a system until privacy controls were in place. Congress then passed a law banning funding for a national patient identifier system.
Many state legislatures have passed laws restricting the use of Social Security numbers as personal identifiers at state agencies and universities.
In addition, Congressional action caused the financial services industry to become the gold (though not perfect) standard for IT security. That’s because Congress mandated that financial services companies would be held liable for the loss of credit card information. So banks have worked especially hard to reduce credit card fraud, and will eat the costs when it happens.
“It’s not irrational for consumers to say, ‘I don’t really care if my credit card is taken,’” said Fred Cate, an IT security expert at Indiana University. That move by Congress actually “spurred the credit card market,” he added, “because people felt more comfortable.”
But with this year’s bill at $37 billion and counting, perhaps the sheer cost of cleaning up after IT security breaches will spur health care companies to find a bandage for their hemorrhaging computer systems.