In June, three researchers from the Harvard School of Public Health wrote a blog post for Project HOPE 's Health Affairs about the newly formed Independent Payment Advisory Board (IPAB), "an expert body charged with trimming Medicare costs and improving the quality of health care." In the post , the authors use controversy around the IPAB as an example of "a larger philosophical debate about the appropriate role of science and evidence in government decisionmaking."
If the ACA goes into effect as currently written, the IPAB will make choices about how to trim Medicare costs and improve the quality of health care. Decisions made by the panel will directly affect certain segments of the population, and experts will need to maintain public trust and support.
The panel will begin its deliberations in a climate where two-thirds of Americans (67 percent) already believe that the government and private insurance plans withhold high-cost prescription drugs and treatments very or somewhat often from some people who might benefit from them in order to save money. In addition, about six in ten Americans (61 percent) say they do not trust the federal government to make the right health care decisions.
The authors conclude that the initial decisions made by this board could determine its fate as a politically and publicly popular decisionmaking institution.
Everyone worries about companies losing their customers’ data. Consumers are upset when their private data is exposed, and rightly so. Firms fret about the potential legal consequences and costs of security breaches, which on average decrease their market capitalization by 2.1%. Policymakers feel they should do something to limit this market failure, but what? One solution that looks like a one-size-fits-all easy fix is encrypting consumer data. In theory, encryption should be foolproof because it means data cannot be read without an encryption key. Many laws currently offer firms “carrots” to use encryption. For example, firms do not have to send out costly notifications to consumers about lost data if the lost data was encrypted. My research ( also found on SSRN ) with Amalia Miller of the University of Virginia and RAND investigates how effective encryption regulation has been in reducing the risk of data breach. We focus on healthcare because there is data on encryption software adoption and publicized data breaches in that sector, and because medical data is especially personal. Surprisingly, we find empirical evidence that when hospitals adopt encryption software, it does not reduce instances of publicized data loss. Instead, adopting encryption software makes publicized data losses more likely, particularly instances of data loss due to negligence or internal fraud. The result is a moral hazard : firms using encryption software are more careless about controlling internal access to encrypted data and their employees are more careless about computer equipment containing encrypted data. Losing a computer with encrypted data might matter a lot, especially since employees often keep the key with the encrypted data or lose the password, compromising the encryption. We therefore recommend that encryption software is not the answer when it is the only security measure a firm takes. Instead, firms should use a broad set of practices, including training and awareness programs, manual procedures and controls, and strong identity and access-management deployments. The fact that encryption software adoption is associated with an increase in fraud may suggest that firms relying on encryption software often do not also deploy effective data access controls. Our findings matter for policymakers because safe harbors for companies that encrypt their data are at the heart of the recently proposed federal bills governing the security of data. Encryption only works as well as the firm's ability to protect the password or key. By promoting this seemingly easy technological solution in isolation, while failing to promote additional human-based processes that complement encryption's effectiveness, giving a safe harbor to encrypted data may not have the intended effect. posted by Catherine Tucker , Douglas Drane Career Development Professor in IT and Management and Associate Professor of Marketing at MIT Sloan School of Management
