Not a Member? Get access to HR news and resources that you can trust.
Here is how HR can help prevent the missteps that could cost your company big in court.
Is your employee handbook ready for the changing world of work? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
60+ new SHRM Seminar dates in 10 U.S. cities and virtually.
Expand your influence and learn how to become an effective leader -- Join us in Phoenix, AZ, October 2-4, 2017.
Hackers could gain access to the personal data of Americans who use the federal and state health insurance exchanges, according to two government reports and experts on electronic data security.
The exchanges, created under the federal Affordable Care Act (ACA), are working to improve the protection of personal data provided by individuals as they apply for insurance coverage, according to the reports and experts. However, much remains to be done, and some experts say that the exchanges might never be completely impervious to attacks.
“One hundred percent security is impossible,” said Kenneth K. Dort, a partner in law firm Drinker Biddle’s Intellectual Property Practice Group in Chicago. “The name of the game is risk minimization.”
There has already been one reported breach of the federal Healthcare.gov website. On Sept. 4, 2014, the Centers for Medicare & Medicaid Services (CMS), which runs the exchange, said that a hacker or hackers uploaded malware on a server that supports the exchange website but does not contain users’ personal information.
Some states operate their own insurance exchanges; others allow the federal government to run theirs. All exchanges that receive federal funds are bound to stringent data security rules. However, compliance remains a massive challenge.
Typically, Americans who seek to enroll in a health insurance plan through an exchange provide their name, address, birth date, Social Security number and salary information. To determine eligibility and perform other functions, the exchanges must share this data with other government agencies and with private entities such as insurance companies. These operations add significantly to the information security challenge.
The federal exchange and some state exchanges suffered from initial design flaws when they first came online, and the push to make them function smoothly also complicated the task of securing personal information, experts say.
Personal data protection “wasn’t integrated into the process,” said Michael Ebert, an expert on health care and data security at audit, tax and advisory firm KPMG in Philadelphia. “They didn’t bake it in. They tried to bolt it on.”
“There is absolutely no way that a project that was so poorly executed can successfully protect private data,” said Peter Robichau, a health care technology author, speaker and consultant.
A U.S. Government Accountability Office report issued in September 2014 found that “while CMS has taken steps to protect the security and privacy of data processed and maintained by the complex set of systems and interconnections that support Healthcare.gov, weaknesses remain in both the processes used for managing information security and privacy, as well as the technical implementation of IT security controls.”
The report said that “increased and unnecessary risks remain of unauthorized access, disclosure, or modification of information collected and maintained by Healthcare.gov and related systems, and the disruption of service provided by the systems.”
Also in September 2014, the Office of the Inspector General of the U.S. Department of Health and Human Services (HHS) released a report on the federal exchange and the state exchanges in Kentucky and New Mexico. The report cited “two critical vulnerabilities” in the website of the federal exchange that “placed the confidentiality, integrity, and availability of PII (personally identifiable information) at risk and could have allowed unauthorized access to PII.” The report found that the two states’ exchanges had implemented security controls but that additional improvements were needed.
A spokesman for HHS, which oversees CMS, did not respond to requests for an interview with SHRM Online.
J. Deane Waldman, a pediatric cardiologist at the University of New Mexico Hospitals and a member of the board that oversees the New Mexico exchange, acknowledged that personal data security remains a challenge. “The law (ACA) is basically unworkable, and we’re trying to make it work,” he told SHRM Online. “We’re doing the best we can.” Waldman said his comments are his opinions and do not represent the New Mexico exchange board on which he sits. He noted that the New Mexico exchange will assist applicants only with Small Business Health Options Program (SHOP) plans until fall 2015, when it will add individual health coverage. Part of the reason for that delay, he said, was to ensure that data security systems are tested adequately before full operation.
Waldman emphasized that the sharing of information among medical professionals is essential to effective health care. “Security and information-sharing are two sides of a balanced scale,” he said. Health exchanges must facilitate both.
“There are bad people out there who will take advantage of anything,” noted Connie Stack, chief marketing officer of security firm Digital Guardian, who is based near Boston. “Security professionals need to plug every hole; the hacker only needs to find one.” She said she believes that health exchange data security professionals “are taking the right steps.”
Layna S. Cook, an attorney with the Health Law Group at Baker Donelson in Baton Rouge, La.,said that people who use the exchanges also “need to be vigilant” in protecting their personal information. “Provide the information required and no more. Be careful who you provide it to.”
Health exchange officials and individual consumers “have to continually monitor the landscape,” said Dort of Drinker Biddle. “Threats change and techniques change. It’s a never-ending battle.”
Steve Bates is a freelance writer in the Washington, D.C., area and a former writer and editor for SHRM.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Don’t Lose Sight! What Does Poor Preventive Care Cost Your Business?
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 3,200 companies