In recent weeks, there have been two bills introduced in Washington, D.C. that are attempting to set nationwide standards for the security and privacy of consumers’ personal information. The “Data Security and Breach Notification Act of 2010” was introduced by Senator Pryor (D-Arkansas) and Senator John Rockefeller (D-West Virginia) on August 5, 2010. The bill requires businesses and organizations that handle and store private consumer information, such as social security numbers, to use reasonable security policies and procedures” to protect such information and to “provide nationwide notice in the event of a security breach.”

This act would require organizations to use appropriate security technologies and processes to safeguard the personal information of consumers. It would also require them to periodically assess their risk profile and take corrective actions in addressing security weaknesses. It also would require notification of consumers affected by a data security breach within 60 days of discovery. And for the first time, this bill would require that the organization provide the affected consumers with two years of credit reports, credit monitoring or “other service that enables consumers to detect the misuse of their personal information.”

Separately, Senator Carper (D-Delaware) and Senator Bennett (R-Utah) introduced the “Data Security Act of 2010” a few weeks earlier. This bill focuses on entities such as financial institutions, retailers, federal agencies that handle vast amounts of consumer data. Like the Pryor bill, it includes a requirement for notification of consumers when a data security breach occurs where there is a substantial risk to the consumer of identity theft or account fraud, but it does not prescribe that consumers be provided with free access to credit monitoring or other services to prevent or detect identity theft and fraud.

Today, there are data breach notification laws in 46 states that each have somewhat different and inconsistent provisions for notification of consumers. One of the intents of a national bill would be to eliminate these inconsistencies ensuring that all consumers are treated fairly and consistently when affected by a data breach incident. This is likely to be controversial, however in states like California and Massachusetts where they have enacted stricter regulations that either of these two bills for the privacy protection of their consumers.

Additionally, these bills are likely to have some of the same issues that currently exist with the HITECH Act which provides for the security and privacy of protected health information (PHI). While the HITECH Act specifies notification of patients whenever a data breach occurs, the companion rules from the Department of Health and Human Services (specifically the Interim Final Rule) clarify that the provision for data breach notification is only for cases where there is a “substantial risk of financial, reputational or other harm” to the affected consumers.  While this may sound fairly logical, it has been met with resistance and distain from consumer advocates.

The issue with establishing and regulating use of a “harm threshold” for data breach notification is in the details. First, can we assume that the organizations affected will carry out a proper risk assessment and come to a fair and accurate conclusion as to whether there is a risk of harm. Such a determination can cost them millions of dollars in data breach remediation costs alone, not even considering the less measureable costs such as customer churn and reputational damage, which are just as real.  Such costs really could make it difficult for the same individuals that caused the data breach to admit that it could cause harm to the affected people.

Second, it has proven difficult to provide clear and objective guidance that would allow organizations to carry out a risk assessment to make the determination as to whether financial, reputational or other harm exists, when these factors are so subjective, quite open to interpretation and judgment. For example, if you were a patient at a hospital where you were admitted to have your appendix taken out, if the clinical records from this hospital were exposed, you may not consider the fact that everyone now knows that you are appendix-less to adverse to your reputation. On the other hand, if you were admitted for a procedure where it was necessary to do an analysis of your blood, and it was determined that you carry the AIDS virus, you may in this instance consider this as having a very negative impact to your reputation if this information was exposed. This situation illustrates how the same type of exposure (personal medical records) can in some instances be rather benign and in others be quite acute.

If legislation requires notification based on an interpretation as to a risk of harm to the affected population, the government regulators should consider whether organizations should be put in the conflicted position of self-assessing such situations. They also should consider how to provide more specific and concrete means to measure the risk of harm to consumers.

I’m sure we haven’t seen the end of new bills in Congress focused on providing for a national approach personal data privacy and security, and the associated requirements for notification in cases of a data breach. But it would be helpful to see additional thought going into this topic of how to assess whether a “data security incident” is in fact a “data security breach” for purposes of notification.

The passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act earmarks over $19 billion in funds as incentives for healthcare providers to adopt EHR technologies. As these funds flow, the amount of medical data will grow exponentially into the petabytes over the next four years.

As recent article titled “As health data goes digital, security risks grow” published in Computerworld and Business Week highlights a significant issue with this trend, the fact that the security of your medical records is far from assured. It concludes that:

“Over the next four years, the amount of personal medical information online will increase exponentially, opening up new avenues for hackers to expose personal data that, unlike financial information, can result in a permanent violation of privacy.”

With the focus of healthcare providers being on securing HITECH stimulus funds for the implementation of EHR systems, there is the risk that the security systems and architecture for these systems, especially in areas of interchange with other entities, may increase risks of exposure of protected health information (PHI) of patients.

Dr. Taher Elgamal, the individual that led the development of  secure sockets layer (SSL network encryption) as the chief scientist at Netscape, and is now the chief security officer at Axway, highlights that the current solution path for this issue, encryption of the PHI data, isn’t a silver bullet for assuring patient privacy.

“The fact that you did encryption doesn’t mean you’ve protected medical information, because access control is the real issue,” Elgamal said. “New cybercriminals do not do what the old cybercriminals did. They realize you’ll be encrypting the data and instead access the application and steal access rights.”

The implications of this on healthcare providers is significant. The financial and patient benefit motivation associates with implementing EHR systems must be balanced by the security and privacy requirements that now have public and financial implications as well for non-compliance.  It isn’t clear to me that most covered entities are appropriately balancing both sides of this equation.

This segment describes a situation where a young woman’s social security number at the Red Cross became associated with a patient who visited a clinic in another state, years ago, who had AIDS. It illustrates the difficulty that one has in correcting such issues with our medical identities.