While it's "very generous" of the Blue Cross Blue Shield (BCBS) Association to offer identity protection services to all of its 160 million members, the move ultimately doesn't fix the issue of hackers' troubling ability to access health insurers' customer data, a cybersecurity expert said.
"The real problem here is trying to avoid having breaches in the first place," Mac McMillan, (pictured right), chairman and cofounder of healthcare information security firm CynergisTek Inc., told FierceHealthPayer in an exclusive interview. "It's almost as if the presumption is there are going to be breaches, and therefore they're just going to go ahead and offer the protection ahead of time."
BCBS' announcement is the first he has heard of a company proactively offering identity protection services, McMillan said. Hackers have already targeted some Blues customers, though: Anthem and Premera Blue Cross have discovered data breaches earlier this year, the former's compromising the personal health information of 80 million customers.
Cyberattacks that target personal health information are worse than those that go after customers' health information, McMillan said, because while financial information is "perishable"--since a consumer can close out a bank account or cancel or credit card--health information has a "much longer tail" in terms of risk to the individual.
In its announcement of the new services, the BCBS Association said it wants to "lead the healthcare industry in the area of cybersecurity practices." If the move is intended to simply mitigate the potential risk to its customers in case it does experience a breach, McMillan said, "that's a positive thing."
But to truly reduce the chances of a cyberattack, insurers should invest in sound security measures that focus on preventing and detecting breaches as well as avoid storing customers' data longer than is absolutely necessary, he said. For instance, McMillan was surprised to learn that the Anthem hack compromised past customers' data in addition to current customers'.
"If they're not a current customer, why in the hell is their data online anyway?" he asked. If there is a legitimate business reason to store former customers' health information, insurers would be better off storing that data offline, McMillan added.
For the identity protection service program, each Blues plan will choose its own vendor with guidance, if needed, from the national association, a BCBS North Carolina representative told FierceHealthPayer in an email. That's a wise move, McMillan said, because it allows the national BCBS to compare the performance of various vendors.
"If you just pick one, and it's not the best one, then you're stuck with it for a while," he said, adding that individual Blues plans may also be able to get better rates from vendors based on their region.
As of right now, it's unclear whether it makes sense for insurers to follow the BCBS Association's lead and roll out their own identity protection services, McMillan said. Some may want take a wait-and-see approach, especially to evaluate the costs of the project.
But another question is "what's the marketing value of this," McMillan noted, adding that he'd be interested to see if "consumers going to say, 'well, you know what, I'd rather have my coverage through Blue Cross Blue Shield because if something happens I'm protected.'"
Blue Cross Blue Shield Association to offer identity protection services to all 106M members
Payers need sophisticated tools to fight off cyberattacks
Premera says data breach may affect 11 million consumers
Anthem hack compromises info for 80 million customers