Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Why Healthcare Security Matters

Does it really matter if someone steals your healthcare records? What would a hacker do with that information? Sell it? To whom and for what purpose?

As a victim of the Anthem attack, I asked myself those questions.

Does it really matter if someone steals your healthcare records? What would a hacker do with that information? Sell it? To whom and for what purpose?

As a victim of the Anthem attack, I asked myself those questions.

If you’re a generally healthy individual, who has no aspirations of holding public office, you might not get too animated about your records being exposed. Perhaps even less so if we are to believe that the Chinese are at the heart of the breach, with the supposed motive of gaining espionage leverage over those with high-level clearances – something few of us have. And besides, we get two years of free credit monitoring – I’m sure the attackers will forget our information by then right?

What the data tells us

Value of Health Care Data in Black MarketThe truth is that this information matters, and not just from a privacy perspective, which let’s face it, not as many people value all that much in a social-media dominated world.

Medical records can be worth as much as 10 times more than credit card numbers on the black market. Attackers are using the information to buy medical equipment or drugs that can be resold or to file fraudulent claims with insurers. Individuals are unlikely to be liable for such fraud, but may very well face the same frustrations that other victims of identity theft have when cleaning up the mess left behind, particularly when dealing with debt collectors. And, ultimately insurers pass on the costs of fraud to consumers.

This is even more concerning given these statistics from the past year:

• Security incidents have soared 60% in healthcare.

• The cost of a security breach leapt 282% in healthcare.1

• According to the sixth annual HIMSS Security Survey, 25% of respondents reported having either a case of medical identity theft or a security breach.

• In US healthcare, insider threat is motivated by workers snooping on relatives/friends (80%), financial identity theft (66%), and identity theft (51%).2

• 60% of US healthcare organizations do not have two-factor authentication implemented. (6th Annual HIMSS Security Survey)2

• The healthcare industry cites access control and identity management for end users as their top challenge.1

What this information tells us is that the healthcare industry as a whole is not taking the threat seriously enough, or if they believe they are, the data indicates that their current strategy is still lacking.

Healthcare security in transition

Healthcare security is in a unique period of transition. Sure, other industries are also regulated, are under attack for sensitive information and use lots of contractors. But the IT revolution in healthcare, driven by regulations that require electronic health records and remote services, is finally forcing healthcare into the 21st century.

Healthcare facilities traditionally have chosen to invest in new medical devices and services over IT, and in particular, over investing in IT security. But now regulations have penalties with teeth.

HIPAA’s final rules issued in January 2013, for example, maxes out at $1.5M per calendar year in fines and potential jail time even for unknowingly violating the act. Besides the hard cost of non-compliance, as we see from the statistics above, there is a cost to reacting to security breaches that is growing for providers, not just consumers.

The news isn’t all bad, though. As healthcare awakens to the real investment needed in IT security, there are now also unique benefits that can be achieved.

Balancing healthcare security with convenience

In healthcare, professionals can serve multiple roles. Picture a registered nurse who works in one building of a modern hospital complex, who also works as a manager in another building. When it comes to patient records, access must be authenticated, but if we can recognize the location of that professional and apply contextual-based roles at the time of authentication, then we have made that worker’s job easier and, for the patient, improved care.

Fortunately, this would also address the recent HIMSS Security Survey concern that access control and identity management for end users is the top challenge in healthcare. If a balance can be struck between spending on security and giving users more convenient access, then perhaps the path towards more secure healthcare information has a faster way forward.

If a healthcare organization is waiting until the security pain is acute enough to invest in the prescription, then know that healthcare security definitely matters. It will matter, even more so, when our kids start getting calls from aggressive bill collectors for false claims. And it would be great if you secured our very private and personal data so we don’t have to imagine what Beijing bureaucrats think of our medical history too.

The Global State of Information Security Survey 2015, a worldwide study by PwC, CIO, and CSO

6th Annual HIMSS Security Survey

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

CommandK announced that it has raised $3 million in a seed funding round for a solution designed to help organizations secure sensitive data.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...