Why the Anthem data breach won't be the industry's wakeup call

There's been a flurry of activity in reaction to the cyberattack on Anthem, the largest reported healthcare data breach in history, with information for up to 80 million customers compromised.

Several class-action lawsuits already have been filed. The National Association of Insurance Commissioners has launched an investigation. People are calling for mandatory encryption of electronic patient protected health information in EHRs and elsewhere.

Pundits are claiming that this breach will finally serve as the healthcare industry's wakeup call to better protect patient data, particularly from cyberattacks.

Maybe. I'd like it to be.

But it won't.

Yes, it's the largest known security breach in the healthcare industry, but it's hardly the first. There are a lot of them, and the number of incidents keep rising. According to the Identity Theft Resource Center's latest data breach report, released in January, data breaches are at an all-time high, the healthcare industry suffered the highest proportion of data breaches and the No. 1 cause of security breaches in 2014 overall was due to hacking.

This, despite the fact that the FBI warned the healthcare industry about cyberattacks a year ago.

So why does it keep on occurring, and why won't Anthem's security breach quell the tide?

For one, many healthcare entities still don't take security as seriously as they should, even though HIPAA has been around for almost 20 years. It takes time and money to install and maintain security protections. Although more organizations are using EHRs and other electronic devices more than ever, they're not adequately protecting the data in them.

Just look at this study of more than 1,000 physician practices published by NueMD last month. It found that 23 percent of them didn't even have a HIPAA compliance plan; only one third had performed a security risk assessment of their electronic patient protected health information (even though both HIPAA's security rule and the Meaningful Use program require it); and 36 percent didn't know that the HITECH Act of 2009 imposed new compliance obligations on them.  

Even Anthem, which had measures in place to protect its data, had a security "vulnerability" and weak, improper access controls which allowed the hackers to gain access.

Then there's the saturation factor.  The Identify Theft Resource Center, in announcing its own recently published report, warns that data breaches occur so often that some businesses are in a "state of fatigue and denial about the serious nature of this issue."

Unfortunately, part of the problem is that there's not much government oversight. ONC has been chastised for not protecting the data in EHRs better. There's been some uptick in HIPAA enforcement, but the Office for Civil Rights only entered into six resolution agreements in 2014, up from five in 2013. The permanent HIPAA audit program, which was supposed to start in 2014, has been delayed; even when implemented it's slated to audit only 800 covered entities and 400 business associates for HIPAA compliance. State attorneys general have the power to enforce HIPAA, but only a few have done so. 

Ironically, it's often only after an entity suffers a data breach that the government gets involved.  

The sad fact is that, like a burglary in one's neighborhood, people tend to disregard something until it hits close to home.

The Anthem breach may get a lot of attention. But without more, it may not spur the holders of electronic patient health records to protect those records better.  - Marla (@MarlaHirsch and @FierceHealthIT)