Does it really matter if someone steals your healthcare records? What would a hacker do with that information? Sell it? To whom and for what purpose?
As a victim of the Anthem attack, I asked myself those questions.
If you’re a generally healthy individual, who has no aspirations of holding public office, you might not get too animated about your records being exposed. Perhaps even less so if we are to believe that the Chinese are at the heart of the breach, with the supposed motive of gaining espionage leverage over those with high-level clearances – something few of us have. And besides, we get two years of free credit monitoring – I’m sure the attackers will forget our information by then right?
What the data tells us
The truth is that this information matters, and not just from a privacy perspective, which let’s face it, not as many people value all that much in a social-media dominated world.
Medical records can be worth as much as 10 times more than credit card numbers on the black market. Attackers are using the information to buy medical equipment or drugs that can be resold or to file fraudulent claims with insurers. Individuals are unlikely to be liable for such fraud, but may very well face the same frustrations that other victims of identity theft have when cleaning up the mess left behind, particularly when dealing with debt collectors. And, ultimately insurers pass on the costs of fraud to consumers.
This is even more concerning given these statistics from the past year:
• Security incidents have soared 60% in healthcare.
• The cost of a security breach leapt 282% in healthcare.1
• According to the sixth annual HIMSS Security Survey, 25% of respondents reported having either a case of medical identity theft or a security breach.
• In US healthcare, insider threat is motivated by workers snooping on relatives/friends (80%), financial identity theft (66%), and identity theft (51%).2
• 60% of US healthcare organizations do not have two-factor authentication implemented. (6th Annual HIMSS Security Survey)2
• The healthcare industry cites access control and identity management for end users as their top challenge.1
What this information tells us is that the healthcare industry as a whole is not taking the threat seriously enough, or if they believe they are, the data indicates that their current strategy is still lacking.
Healthcare security in transition
Healthcare security is in a unique period of transition. Sure, other industries are also regulated, are under attack for sensitive information and use lots of contractors. But the IT revolution in healthcare, driven by regulations that require electronic health records and remote services, is finally forcing healthcare into the 21st century.
Healthcare facilities traditionally have chosen to invest in new medical devices and services over IT, and in particular, over investing in IT security. But now regulations have penalties with teeth.
HIPAA’s final rules issued in January 2013, for example, maxes out at $1.5M per calendar year in fines and potential jail time even for unknowingly violating the act. Besides the hard cost of non-compliance, as we see from the statistics above, there is a cost to reacting to security breaches that is growing for providers, not just consumers.
The news isn’t all bad, though. As healthcare awakens to the real investment needed in IT security, there are now also unique benefits that can be achieved.
Balancing healthcare security with convenience
In healthcare, professionals can serve multiple roles. Picture a registered nurse who works in one building of a modern hospital complex, who also works as a manager in another building. When it comes to patient records, access must be authenticated, but if we can recognize the location of that professional and apply contextual-based roles at the time of authentication, then we have made that worker’s job easier and, for the patient, improved care.
Fortunately, this would also address the recent HIMSS Security Survey concern that access control and identity management for end users is the top challenge in healthcare. If a balance can be struck between spending on security and giving users more convenient access, then perhaps the path towards more secure healthcare information has a faster way forward.
If a healthcare organization is waiting until the security pain is acute enough to invest in the prescription, then know that healthcare security definitely matters. It will matter, even more so, when our kids start getting calls from aggressive bill collectors for false claims. And it would be great if you secured our very private and personal data so we don’t have to imagine what Beijing bureaucrats think of our medical history too.
1 The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO
