Why is Healthcare on the Internet?

The Anthem Blue Cross case is so big that we have to wonder why this much information of such a sensitive nature is accessible from the Internet.  There are some who believe the Internet is neutral and should be shared by almost anybody who can afford a connection.  This line assumes the Internet is good for anyone who uses it.  

There has always been a principle of security that says the more open an industry is, the more accessible it is to its users and the criminal elements that prey on it.  Changes to healthcare have pushed more doctor's offices to use the Internet.  Our records are automated and those doctors expect to be able to e-mail us with test results or questions about drug prescriptions.  At the same time, this Administration wants to regulate the Internet as if it were a public untility.  I think this approach needs to consider that the Internet is not a safe place to put certain types of data.  There are no policies that mandate the kind of security that would be necessary to try to do that.  

A case in point is encryption at rest.  The existing standards of healthcare do not require encryption at rest for medical data, but they do require "protection" for it.  This is government policy similar to what is required for unclassified information belonging to the government.  I worked for a company that used to send unencrypted data that belonged to the government over long-haul communications.  We pointed out to them that this kind of data had to be protected, but they said it was protected with passwords and intrusion monitoring.   They knew better, of course, but they did it anyway and nobody in government challenged them.  Besides, they said, it cost too much to encrypt data.  This same logic entered into the protection of privacy information on Anthem's systems.  

Like the credit and debit card systems, encryption is essential to protecting data from thieves.  We know there are millions of them on the Internet, so we need to protect that data from people who would steal it.  This is not something new;  they have been stealing data for 20 years or more and those managers have been making the same kinds of decisions about protecting it.  There is no penalty for taking risks with someone else's data that a business maintains.  We should ask HHS why they don't have a requirement for data encryption, and if they did what the penalty and enforcement mechanisms are that would oversee it.  Not only do managers make dubious risk decisions but the government  has no oversight of protection of this type of data.  We used to have an Industrial Security program that had oversight of some types of classified data.  Contractors could have their contracts stopped if it wasn't protected properly.  We don't even do that anymore.  

We can imagine that HHS has no oversight over how doctors protect our data, either privacy data or medical records.  They don't police themselves.