Data breaches have grabbed headlines in recent months, and arguably none was more shocking than the one that occurred at Anthem, the nation’s second largest health insurer.

This article was  originally published on mHealthNews.

That breach compromised the Social Security numbers, dates of birth and e-mail addresses of about 80 million current and former Anthem members and employees. That’s the equivalent of the combined population of California, New York, Illinois and Maryland.

In the wake of the Anthem and Sony breaches, the Senate Intelligence Committee recently passed the broadly bipartisan Cybersecurity Information Sharing Act (CISA), which would make it easier for private sector companies to share information about cybersecurity threats with government agencies. That bill is expected to be fast-tracked through Congress this spring.

The Center for Strategic and International Studies estimates that the total economic loss associated with cyber-attacks runs as high as $400 billion per year.

That’s why Congress will likely act quickly to address the problem. While in committee, CISA received 12 amendments to help safeguard privacy. As the bill moves forward, organizations like the nonprofit Center for Democracy and Technology are calling for Congress to remove consumers’ personally identifiable information – in our world, HIPAA data – before it gets shared with government agencies. With those safeguards in place, it will be a bill worth passing.

But legislation alone won’t be a total solution, especially in healthcare.

The shocking truth is that only about 6 percent of healthcare data breaches to date (as reported on the Health and Human Services “Wall of Shame”) are the work of hackers. The other 94 percent are the result of simple human errors and transgressions, usually made by a provider’s own employees or business associates. The miscues run the gamut from snooping into celebrity health files and improperly disposing paper records to losing laptops containing unencrypted patient data. In short, a hospital or health system might congratulate itself on avoiding an Anthem-scale breach, only to get stung by smaller breaches that can still tarnish its reputation and cost millions to remedy.

The minimum regulatory fine for a HIPAA violation involving willful neglect is a staggering $1.5 million per violation – and most data breaches involve multiple HIPAA violations.

Sadly, too few healthcare organizations have a formal process for benchmarking the maturity of their information risk management (IRM) programs. (The FBI made this clear in an August 2014 alert.)

The healthcare field lags far behind most other industries in this critical benchmarking process. For example, most large retailers routinely use maturity models to test the efficacy of their supply chain management. The consulting firm Accenture even has a “green” maturity model to assess its IT clients’ environmental and sustainability programs.

We therefore need better board and C-suite education about what constitutes comprehensive IRM and how to continuously improve it. For years, healthcare organizations have been reactive (“Let’s spot-weld this problem until the next one comes along”). What’s needed is a governance overhaul to ensure that IRM is viewed strategically, where the goal is to make it more robust and mature with each passing year.

By improving information-sharing, the proposed CISA law may help prevent some – but certainly not all – of the healthcare data breaches that lie ahead. To make real progress, our boardrooms and C-suites need to approach IRM as an organization-wide discipline. Without addressing people and policies, techno-fixes will never be a complete solution.

This article was  originally published on mHealthNews.

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.