There are many lessons that the Medical Community– Covered Entities, Business Associates and their subcontractors – can learn from the Ashley Madison hack. Please forgive me if I omit the prurient details and/or any “holier than thou” statements about the AM business, except to say that it was a site that needed security, dealt with highly sensitive and personal matters, and the very people who sought to obtain a “full delete” of their personal information, are the ones who apparently were caught “flapping in the wind” – please forgive the pun.
- How could a subscriber/patient/doctor or medical provider (CE, BA or Sub) have known that the information they retained made them a prime target?In the case of Ashley Madison, assuming itdid not possess the native intelligence to realize that we live in an age of website breaches, the WSJ.com actually warned/predicted that Friend Finder networks (a website with similar appeal to individuals seeking extracurricular activities) was hacked, and that Avid Life Media (owner of AM), which was seeking to raise $200 million in an IPO,warned that “investors will have to think of hack attacks as a risk factor.” In the case of CEs BAs and their subcontractors, and in addition to HIPAA, HITECH and the Omnibus Rule, the internet is replete with stories of both medical and nonmedical private information being hacked.
- How could the information have been safeguarded? In the case of AM, prepaid credit cards, anonymous browsing and encryption would or could have mitigated or eliminated the risk. On the Medical side, awareness and compliance with the regulatory requirements (which incidentally, includes encryption as a safe harbor) would similarly substantially mitigate the risk and the amount of damage a breach may cause. Starting with a risk analysis, proper security and privacy protocols, management oversight, and adequate resources devoted to regulatory compliance would go a long way.
The basic problem is that the NIMBY (not in my back yard) type of denying reality has a way of catching up and exploiting vulnerabilities. The new reality is that with every passing day, more private information is being entrusted to others. Cyber security is playing a cat and mouse game with hackers and ignoring the realities of the digital age can lead to embarrassment, financial loss (or ruin) and governmental scrutiny and fines.
What do you think?