My Answers to HW5case, Q3

Facts of the case:

I examined the case of three data breaches involving Advocate Health Care Network. These breaches occurred from July to November 2013. These breaches affected millions of patients and resulted in Advocate being fined $5.5 million for failing to implement adequate security controls. This incident was one of the largest HIPAA violations in US history.

Analysis:

1.)     Was this fine excessive, too small, or just right?

Answer:

I tend to view this fine as just right. The scope of these breaches was enormous and justified a severe penalty while also setting an example to other healthcare providers. I think its also important that it not be so severe that it risks destroying a company.

2.)     Since there was a pattern of negligence with patient data, should there have been additional punishments? If so, what?

Answer:

I felt there should be some requirement to demonstrate adequate security controls to DHHS. I think it would be good if they had to prove that they were adequately protecting patient data, or they could face additional fines. This shouldn’t be indefinite but should last for some extended period of time, essentially a kind of probation for the company..

3.)     What are the downsides of doing so much to protect patient privacy?

 Answer:

I think there may be some downside due to reduced efficiency. This has always been an issue with regulation in that it protects people while imposing costs on productive activity. Protected medical data could also be very useful for medical research so society is probably losing out on scientific research by protecting patient data so thoroughly. People may justifiably want their privacy protected but this always comes with costs.

4.)     Advocate failed to implement basic security practices like physical controls, access control, and encryption. Should healthcare providers be required by law to have some sort of cybersecurity professional be on their staff to prevent these kinds of mistakes?

Answer:

I think this would probably be a good idea. Regular, required cybersecurity audits could probably prevent a lot of incidents like these from occurring.

 

My conclusions:

In conclusion, I think the penalties for advocate were justified due to the scope of the HIPAA violation and their failure to take reasonable precautions to prevent it. In order to prevent future breaches, I think healthcare providers should be required to regularly perform security audits.

 

Future environment:

If AI continues to develop as it has been recently, then it should eventually be possible to use AI for medical services. I imagine that utilization from “AI doctors” might be higher than regular doctors because the marginal cost to employ them would be so much less. Medical data from previous sessions could be stored on the cloud and accessed automatically by the system between visits. The AI system could even order tests or Labwerk to be done based on the medical visit. There is currently a shortage of doctors, especially PCPs, and this might also help alleviate that shortage. 

Future scenario:

If AI doctors are implemented, then HIPAA will likely have to be extended to ensure the AI adequately protects patient privacy. If the medical data is handled in an automated manner, then this might leave fewer opportunities for security breaches if humans are not involved. However, vulnerabilities not involving humans would obviously still be something to be concerned about.