Sophos, the renowned security firm, recently reported in its survey of data encryption: “The Sophos survey of IT decision makers in six countries reveals that there are some misconceptions about encryption, and some disconnects between what companies say they are concerned about – and what they’re doing about it.”

The article does not talk about misconceptions, but should!  Probably the biggest misconception is that your data is safe from hackers when you adopt an encryption technology.

In further analysis of the Sophos survey for Healthcare firms, Sara Heath writes:

Those organizations that do not encrypt their data – and even some that do – are seeing some gaps in data protection. Nearly one-quarter of customer information and customer financial information falls through the encryption cracks, leaving it liable to a data breach.

This is especially alarming when put into the context of the healthcare industry. Because patients are the customers in the healthcare industry, it is important that all of their PHI be fully protected via encryption to keep that valuable information from falling into malicious hands.

While encryption is great and everybody seems to be advocating it, does it really thwart a determined hacker?

Malicious hackers routinely steal information from private databases. It is a widespread fallacy that by encrypting the data in these databases, data will be safe. Regulators, compliance authorities and industry standards insist on encrypting sensitive information such as SSNs, credit card numbers, and health information.



However, unless the encryption is one-way – once encrypted, the data can no longer be recovered – encrypted data used by database-backed websites is usually as insecure as unencrypted data.

The encrypted data, to be usable, is obviously decrypted by some applications and processes within the system or on the network. Those applications and processes need to access the sensitive data, usually quite frequently, and have access to the decryption keys. The decryption keys are made available to these applications either by trusting their user-id, or their process filename, the computer’s IP address, or a similar factor.

To understand why data encryption might provide a false sense of comfort, let us make some rather formidable assumptions against our adversary, the hacker.

Let us assume that:
(a) the application logs are encrypted
(b) the application is encrypting its “heap” memory
(c) the application is enforcing data privacy in its interfaces to other components
(d) the decryption keys are stored in an ultra-secure (digital) vault

These assumptions are very hard to implement correctly. But let’s assume that they are true.

The fact that a hacker is able to access data, even if in encrypted form, in a database clearly indicates that the hacker has breached the various security perimeters and gained unauthorized access to an internal system. In normal course, the hacker should have not been able to access the raw database at all. Once the hacker is inside the network and has been able to access the database, it is a fair assumption that the hacker is able to assume the identity of the application or the web-server itself. In fact, once inside a system, it is not that hard for a hacker to just try and become the superuser of that system and then masquerade as a specific user.

Once that happens, all bets are off. If the hacker’s access to the database cannot be distinguished from the application’s access, encryption does not help at all. Once a hacker is inside your network and is able to access your encrypted data, it is usually only a matter of time before he figures out how to access the required keys, and then to decrypt the data.

Bruce Schneier, the famous crypto-expert, highlighted this way back in a blog article from 2010:

Let’s take a concrete example: credit card databases associated with websites. Those databases are not encrypted because it doesn’t make any sense. The whole point of storing credit card numbers on a website is so it’s accessible — so each time I buy something, I don’t have to type it in again. The website needs to dynamically query the database and retrieve the numbers, millions of times a day. If the database were encrypted, the website would need the key. But if the key were on the same network as the data, what would be the point of encrypting it? Access to the website equals access to the database in either case. Security is achieved by good access control on the website and database, not by encrypting the data.

We re-iterate the last sentence: Security is achieved by good access control on the website and database, not by encrypting the data.

To be sure, encryption is useful for carrying around sensitive information. But for data “at rest”, mere encryption offers but an illusion of safety.

The uninsured percentage of the US population is at an all-time low of 13.4 percent from the 18 percent before the Affordable Care Act was rolled out. Approximately 15 million people who did not have health coverage before Obamacare enrolled in a health insurance plan under this new law without any discrimination on the basis of pre-existing medical conditions. The ACA also served as a catalyst for 6 million people who were deemed eligible for expanded Medicaid coverage. The newly eligible applied for Medicaid, but were left in a lurch when their applications went into a pending status. Nearly 1.7 million applications are in backlog, and people are waiting to get through the system.

As the second enrollment period nears, the Medicaid department is already stretched thin for resources, and they will soon have work around eligibility determinations, complicated application hurdles and drying up state funds in a smaller time window. However, the administration is trying to best these challenges. Here are some strategies the Medicaid directors are putting together to sail through these troubled waters.

1)  Setting Up Dedicated Centers for Customer Help – The first enrollment period saw customers flocking to navigators and exchange authorities for help. People consulted the official healthcare.gov centers for all questions and troubles they were facing while enrolling. A similar trend manifested for Medicaid, people were quick to call to check on applications and inquire on the status. In the second enrollment, Medicaid coverage will reach out to people who did not get covered in the first period, and that means more questions and more queries that are community specific. Since there will be no additional resources, the call volume per navigator will be high, and the navigators need to be ready. Further, since special communities will be the central theme this year, navigators with any other primary language than English will be preferred. In-depth training for these navigators are already underway and will help educate representatives on the most commonly asked questions and the  typical challenges their callers might face in the second enrollment period.

2)  Dedicated Backlog Management – Other than gearing up for new applications, a dedicated backlog management process is in the works for handling the Medicaid applications currently stuck in the system. Most of these applications are the ones which require eligibility redetermination; and that requires a complete pacing of the app through the system. In order to clear these backlogs, an escalation system is being created that will separate complex applications from the simpler ones and allow those to go through smoothly. This escalation system will weigh the application on the basis of complexity and decide whether to pass it through or take it to the next level.

3)  New Application Handling – With the above escalation system, the administration plans to speed up new application handling. Other than the escalation system, the newer applications will also go through a decentralized enrollment system. The decentralized enrollment system will rely on district and county offices to process eligibility. For counties and districts where the pressure of applications is too much, a central system will be established that will help ease off the load. A review of the implemented improvements will ease out bottlenecks and control the risks of the system.

Due to mounting pressure and only a short time left before the second enrollment, the administration will have to implement these strategies as soon as possible. While contact centers are already making progress on trainings and implementation, backlog clearance and new application handling are far from satisfactory. If the administration is unable to streamline these issues before November 15th, the going will be smooth, else the Medicaid enrollments could turn out to be a bigger challenge than the government had expected.

A hacking incident (or rather, a five year long breach) at Community Health Systems, disclosed in August 2014, is supposed to have resulted in the leakage of 4.5 million health records.  Why on earth, one might be excused for asking, would someone steal health records?

Privacy

Let us first clarify the simpler matter that medical records are certainly worth protecting.  They contain private information about an individual.  Though most medical conditions say nothing about someone’s character or personality traits, there are still good reasons to want to keep one’s medical history private.  One may not want the world to know that one suffers from irritable bowel syndrome, or that one has suffered a few miscarriages, or even that one has had LASIK done to cure one’s eyesight.  You feel  comfortable in telling all to your doctor because you are assured that that information will be held in confidence.

Most people feel slightly embarrassed about having to explain an ailment to their doctors.   Imagine how much harder it would be for them if they knew that the doctor was going to put all that information in the public domain!

Other than privacy, is there any other reason to keep medical records secret?  Other than gossip and ridicule, what else does one have to fear?

Security

A lot, as it turns out.

The business of healthcare has become extremely complicated in the 20th and 21st centuries.  We have transitioned from a close relationship with the town or village doctor to a network of clinics, hospitals, providers, specialists, laboratories, pharmacies, medical device manufacturers and vendors, insurance carriers, government subsidies, medical tourism destinations, and so on.  It is all a rather dizzying array of complexity.

These entities exchange medical and payment information.  Usually, but not always, the payment is released by an insurance carrier.  In some cases, the payment might also be requested from an employer or the government.  It is quite difficult to impersonate someone to their employer, but most dealings with the government or with a large insurance provider are faceless.  All that matters in these interactions is whether one knows some important identifying numbers.

It is those numbers, and the history of one’s health conditions, which can enable hackers and thieves to fraudulently bill on your behalf.  Let us say a hacker knows that you are suffering from mild hearing loss.  The hacker might order a $20,000 hearing aid and bill your insurance carrier for it, and then sell it in the black market.  He might even be willing to make the co-payment.  Or, let’s assume a hacker figures out that you have Coronary Artery Disease (CAD), which might benefit from angioplasty.  What is to stop a hacker from creating the records of an imaginary angioplasty at, say, an “out-of-network” clinic (perhaps in another country) and bill your insurance carrier for hundreds of thousands of dollars?

To be sure, most medical histories do not lend themselves easily to lucrative exploitation.  Hence, it is very rare (unheard of, actually) that hackers will specifically target someone’s medical records.  Usually hackers attack a whole system and steal thousands or millions of records.  Then these are sold in bulk to specialized gangs which then sift through the information looking for opportunities.

“Ask for his ID!”

Shouldn’t it be required for the paying entities to authenticate the bill and the patient?  Well, they do.  But in today’s world, information is identify.  If you know enough about someone, you can, for all intents and purposes, become that person.  Their date of birth, their family history, their physical characteristics, even their biometric parameters (fingerprints, etc.) can be transmitted in such a way that there is no cause for suspicion that the transmitter is anyone other than who he says he is.

Banks and credit card companies have elaborate algorithms to detect when a transaction does not fit the pattern.  Unfortunately, health providers and insurance companies have not yet invested in such technologies.  And given the vast complexity of the human body, and the close relationship ill health has with suffering, it is doubtful if suspicion at a new symptom or a treatment is going to be welcomed by patients.  Such algorithms (at banks) fail, for example, when somebody suddenly has to travel to a location far from one’s normal place of business.

Healthcare is already riddled with too much paperwork.  And unlike financial transactions, health paperwork (e.g. diagnostic information) can be astoundingly varied and immune to simple algorithms.  To automatically scan all this complex data to detect fraudulent activity is not a simple project.

Therefore, the need is to protect the data in the first place.  If the data does not get into the wrong hands, hopefully we can prevent fraudulent billing.  Also, unlike financial information such as credit card numbers, stolen medical records continue to remain valid.  Its protection is therefore even more important.

As the Affordable Care Act goes into the waning days of its second open enrollment, the pressure is building on the U.S. healthcare system. More people have health insurance than ever, and this number is expected to continue to increase in the coming few months. In fact, for the 6.7 million people who purchased health insurance in the first enrollment period finding a primary care physician is getting difficult. Simply put, there are not enough primary care doctors to support the increasing number of people with health insurance.

As many as 81 percent of doctors reported that they are either working at full capacity or extended beyond their capacity. In addition, 44 percent of the doctors surveyed are considering cutting back on the number of patients they see in a month. Some doctors even talked about closing their doors to new patients, working part time or retiring altogether. The survey definitely reveals the additional pressure mounted on physicians with newly insured looking to find doctors.

Health plans, on the other hand, are more concerned about the rising competition in this new market, prompting them to cut the number of doctors in networks to curtail costs. This creates a roadblock of sorts for patients who are faced with either waiting for an extended period of time to get an appointment or incur additional out of pocket costs by seeing a doctor that is outside of the network.

With this primary care doctor shortage, the Obama Administration’s original purpose of connecting the uninsured to affordable, fully covered primary care is falling short. Nearly 20 percent of Americans are living in an area with a shortage of primary care physicians, and the supply of doctors isn’t enough to meet the demand. This supply-demand gap is expected to increase further, with nearly 66,000 additional doctors needed to fill this gap by 2016. Another major reason for this gap is that medical students are moving toward higher paying specialty areas instead of the primary care. Fortunately, until now, patients are receiving the care they need by driving farther out of their area, spending more time waiting for care, or settling for a nurse practitioner or an assistant instead of the doctor.

Naturally, this perennial challenge needs a resounding, permanent answer that can curtail this widening gap in primary care doctor supply-demand. One way is to ensure that more primary care physicians are available for the masses. The American Academy of Family Physicians has more than 115,000 member doctors, and it is constantly working to add new physicians, train nurse practitioners and assistants, and expanding their schedules by accepting patients in evening and weekends. Also, patients can utilize the second open enrollment to look for better health plans that give them a shot at easier access to doctors.

2014 is out of the way and tax season has gripped the country. This time, however, Americans have a new tax filing aspect to consider – the Affordable Care Act. This is the first year when the law requires everyone to have health insurance at the time of tax filing, unless they are exempt from the requirement. For most people, proving they have health insurance will be as simple as checking a box on the tax return, while others might have to show the proof that guarantees exemption from the law. In any case, this year’s tax filing requirement will be slightly different from last year, and this is what it will look like. Read more

Non-citizens are three times more likely to be uninsured than U.S. residents. With nearly 10 million legal immigrants living in the country, the high percentage of uninsured among them means a bigger target for Obamacare. During rollout last year, the Obama administration was extremely concerned about the health insurance status of this section, and implemented some methods to make sure that sufficient enrollments came through immigrants. As per the Affordable Care Act, legal immigrants are mandated to get health insurance under the Obamacare marketplaces or face tax penalties for non-compliance. Although enrollments have come through, the majority of immigrants have no idea of how their health insurance works, and how are they supposed to make use of it. Read more

Out of the states that adopted Obamacare from the start and chose to establish their own state-based health insurance exchanges, Colorado was one of the forerunners. The Centennial State was already making strong progress in healthcare and reforms, and took up Obamacare to further its position as one of the leaders in healthcare.

Other than taking the lead to establish a state exchange, Colorado also participated in the Medicaid expansion to cover people up to 133 percent of federal poverty line. Currently, available numbers show that Colorado has made strong progress on reducing the number of uninsured in the state. The state has cut the number of uninsured by 6 percentage points since 2013.
Read more

The healthcare sector has taken the mantle of a rescuer over the last few years, when unemployment reared its ugly head. Healthcare sector has been one of the bright spots, adding jobs to the economy when other sectors, such as construction and manufacturing, were forced to lay off workers while struggling to make ends meet in a harsh economy. Unfortunately, the rules of the game have changed, and healthcare has suddenly lost its potency in job growth. Over the last year, health care sector has been lagging behind with only 1.4 percent annual hiring rate in 2014, and Affordable Care Act could be the key reason behind this lag.

Read more

With the first enrollment period over, Obamacare has received more than 10 million applications through public and private exchanges for qualified health plans. People who were unable to afford insurance before PPACA finally got a chance to purchase better health insurance through subsidies and expanded Medicaid coverage. However, there are some unprecedented challenges surfacing after such a good run of enrollments – some of the insured do not have the same wide network of hospitals and doctors to support them and several  are unable to find the right combination of doctors and hospitals in their covered network.

Read more

December was, without a doubt, the most positive month for the troubled heathcare.gov and Obamacare in general. As compared to October and November, December saw favorable momentum toward the Affordable Care Act (ACA), aka Obamacare.

From a neutral perspective, there were three major developments that changed the public’s opinion – improved website, relief for canceled policies, and an extension on enrollment period. Let’s dissect these developments in detail.

Read more