Cyber Security News / Hospitals & Medical Centers

Why Healthcare Records Are a Hacker’s Holy Grail

September 25, 2012

 

A recent Ponemon institute survey reported that while the cost for data breaches is trending downward, this does not apply to stolen healthcare information. In fact, the World Privacy Forum found the demand for medical history and identifiable information in healthcare far outstrips other industries.

For example, a stolen medical ID number and record currently sells on the black market for $50 vs. a stolen credit card number which is only worth $1. Healthcare fraud or medical identity theft puts both individuals and healthcare organizations at huge risk. A 2011 study on patient data privacy and security by the Ponemon Institute estimates the annual economic impact of medical identity theft to be $30.9 billion. So why has medical information become so valuable?

Let’s start with personal risk. Say your credit card or bank card is compromised – while a hassle, the risk is contained. A few phone calls to a business entity or financial institution to cancel any fraudulent charges and issue a new card generally clears up any potential problems. In fact, fraud monitoring and data protection has now become a mainstream service for most financial institutions.

A health record theft on the other hand contains a lot more and is difficult to detect: birthdates, social security information, maiden names, transactional history and of course, detailed medical history. Most of this information is stored in back office applications of healthcare IT across a complex network of players – insurance payment systems, admit and discharge applications of hospitals, medical laboratories of various types, and of course, in both paper and electronic files of your primary care physician as well as specialists.

This complex relational view of data is a treasure trove to hackers looking to perpetrate medical identity theft for either immediate financial gain or prolonged fraud against the medical establishment.

For individuals, here are some real-world examples of different types of risk involved in healthcare hacking:

  1. Financial risk: When a person uses someone else’s medical record to obtain or bill for medical goods or services. This “denial of service” or “denial of claim” is often how medical identity theft is discovered in the first place. Example: a patient can’t get therapy following surgery because a clinic they never visited claimed their insurance benefits had been maxed out.
  2. Reputational risk: Our medical records contain private or sensitive information that we don’t want in the public domain. Think about mental health, depression, alcohol or substance abuse. Such information still has a huge stigma in our society and can cause reputational harm – for example, imagine breached records published by activist groups. Such information can come up in an employment background check, CORI report etc.  Worse, when a medical record is polluted by someone else’s healthcare information – patients may be wrongfully penalized based on information not pertaining to them.
  3. Health risk: Imagine the health risk when a medical record is polluted or merged with someone else’s medical prescriptions or lab procedures. Incorrect blood type or prescription information could cause life-threatening complications at point of treatment.

Now let’s examine the risks to healthcare providers or payer organizations. The costs of such fraud either from IT security hacking, negligence or physical theft are quite daunting – a healthcare payment claims fraud can range between $60 and $100B with an increasing portion happening due to medical ID theft.  

Add to the mix some well-meaning regulations, namely Health Insurance Portability and Accountability Act (HIPAA) and HITECH, created to confront the very issue of stolen private health information. Penalties can reach $25,000 per year for violations of a single requirement. Penalties for wrongful disclosure include fines up to $250,000 as well as up to 10 years’ imprisonment. Additionally, HITECH permits states to pursue civil charges on behalf of victims in addition to fines for HIPAA violators of up to $1.5 million per year.

That said, all is not lost for healthcare providers and business entities. Lucrative incentives to meet privacy and security guidelines outlined in HIPAA and new EMR/EHR migrations and related IT transformations offer the perfect opportunity for healthcare organizations to get their security house in order.

While the risk of a data breach can never be completely eliminated, we find that a commitment to security goes a long way toward reducing the risk.

Password guidelines, access management, awareness against social engineering, clear policies on data storage and encryption create the foundation of strong security hygiene. A prioritized security, privacy and vulnerability assessment targeted to key systems, applications and processes which involve patient data is often more effective in pinpointing exact vulnerabilities.

Risk-savvy organizations who are consistent, proactive and predictive in their security programs are the silent winners in the battle to protect patient data. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+