Maybe HIPAA Protected You From WannaCry

Commentary May 17, 2017 at 04:52 AM
Share & Print

It seemed as if the WannaCry ransomware attack could have created some opportunities for me to write frightening, entertaining articles about creepy hackers in Bulgaria, North Korea or a cave in Antarctica invading the computers of U.S. hospitals, health insurers and health insurance agents and brokers.

So far, however, all I'm hearing is digital crickets.

U.S. agents and insurers may have faced some attacks, but there's no public evidence of that. Insurance industry companies and groups don't seem to be posting more notices about cybersecurity problems than usual. Large numbers of U.S. patients don't seem to be going on social media to complain that the ransomware ate their health records.

One obvious reason may be luck. The WannaCry developers may simply have used strategies that work better on hospital computers in the United Kingdom than on insurance company computers in the United States.

Another reason maybe that fear of the wrath of U.S. cybersecurity regulators may keep any affected entities in the United States from going public with incident reports. U.S. entities may believe that quietly junking an affected computer and reconstructing the data from backups will be cheaper and easier than dealing with the repercussions of volunteering information about incidents to federal investigators.

A third reason, however, could that the U.S. federal government and U.S. state governments have been so ferocious about developing data security rules for protected health information that the rules have helped inoculate most significant U.S. collectors of protected health information from attacks.

The federal rules implementing the Health Insurance Portability and Accountability Act privacy and data security provisions, and the HITECH Act data security provisions, are broad. The rules touch life insurers, annuity issuers and even ordinary life agents about as much as they touch doctors, hospitals and testing labs.

Even if some U.S. players fail to take the rules seriously, the players that do their best to comply may make the U.S. health data infrastructure safer for the scofflaws as well as for the rule followers. As the percentage of rule followers rises, the likelihood that a malware attack will hit a solid security wall and die rises.

The downside is that the cybersecurity rules instill terror and burn up people's time. Agents who collect protected health information for underwriting purposes know they could face the wrath of HIPAA compliance auditors if they simply leave a laptop with no password protection in a car, and a thief steals the car. Agents know that failing to update their systems, back up their data, or encrypt the protected health information they store could lead to financial doom.

The upside is that, for now, at least, it's hard for me to write an interesting story about the effects of WannaCry on U.S. insurance agents, brokers, advisors and insurers.

The moral is that government compliance efforts can impose burdens on members of the insurance community but may also create benefits. Policy shapers need to think about the benefits as well as the burdens. The goal should be to optimize the balance between the costs and the burdens, and to find ways to maximize the amount of benefit per unit of burden, not to get so caught up in partisan conflicts that we end up with all-or-nothing policies because compromise is for the wimps.

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center