A recent Ponemon institute survey reported that while the cost for data breaches is trending downward, this does not apply to stolen healthcare information. In fact, the World Privacy Forum found the demand for medical history and identifiable information in healthcare far outstrips other industries.
For example, a stolen medical ID number and record currently sells on the black market for $50 vs. a stolen credit card number which is only worth $1. Healthcare fraud or medical identity theft puts both individuals and healthcare organizations at huge risk. A 2011 study on patient data privacy and security by the Ponemon Institute estimates the annual economic impact of medical identity theft to be $30.9 billion. So why has medical information become so valuable?
Let’s start with personal risk. Say your credit card or bank card is compromised – while a hassle, the risk is contained. A few phone calls to a business entity or financial institution to cancel any fraudulent charges and issue a new card generally clears up any potential problems. In fact, fraud monitoring and data protection has now become a mainstream service for most financial institutions.
A health record theft on the other hand contains a lot more and is difficult to detect: birthdates, social security information, maiden names, transactional history and of course, detailed medical history. Most of this information is stored in back office applications of healthcare IT across a complex network of players – insurance payment systems, admit and discharge applications of hospitals, medical laboratories of various types, and of course, in both paper and electronic files of your primary care physician as well as specialists.
This complex relational view of data is a treasure trove to hackers looking to perpetrate medical identity theft for either immediate financial gain or prolonged fraud against the medical establishment.
For individuals, here are some real-world examples of different types of risk involved in healthcare hacking:
- Financial risk: When a person uses someone else’s medical record to obtain or bill for medical goods or services. This “denial of service” or “denial of claim” is often how medical identity theft is discovered in the first place. Example: a patient can’t get therapy following surgery because a clinic they never visited claimed their insurance benefits had been maxed out.
- Reputational risk: Our medical records contain private or sensitive information that we don’t want in the public domain. Think about mental health, depression, alcohol or substance abuse. Such information still has a huge stigma in our society and can cause reputational harm – for example, imagine breached records published by activist groups. Such information can come up in an employment background check, CORI report etc. Worse, when a medical record is polluted by someone else’s healthcare information – patients may be wrongfully penalized based on information not pertaining to them.
- Health risk: Imagine the health risk when a medical record is polluted or merged with someone else’s medical prescriptions or lab procedures. Incorrect blood type or prescription information could cause life-threatening complications at point of treatment.
Now let’s examine the risks to healthcare providers or payer organizations. The costs of such fraud either from IT security hacking, negligence or physical theft are quite daunting – a healthcare payment claims fraud can range between $60 and $100B with an increasing portion happening due to medical ID theft.
Add to the mix some well-meaning regulations, namely Health Insurance Portability and Accountability Act (HIPAA) and HITECH, created to confront the very issue of stolen private health information. Penalties can reach $25,000 per year for violations of a single requirement. Penalties for wrongful disclosure include fines up to $250,000 as well as up to 10 years’ imprisonment. Additionally, HITECH permits states to pursue civil charges on behalf of victims in addition to fines for HIPAA violators of up to $1.5 million per year.
That said, all is not lost for healthcare providers and business entities. Lucrative incentives to meet privacy and security guidelines outlined in HIPAA and new EMR/EHR migrations and related IT transformations offer the perfect opportunity for healthcare organizations to get their security house in order.
While the risk of a data breach can never be completely eliminated, we find that a commitment to security goes a long way toward reducing the risk.
Password guidelines, access management, awareness against social engineering, clear policies on data storage and encryption create the foundation of strong security hygiene. A prioritized security, privacy and vulnerability assessment targeted to key systems, applications and processes which involve patient data is often more effective in pinpointing exact vulnerabilities.
Risk-savvy organizations who are consistent, proactive and predictive in their security programs are the silent winners in the battle to protect patient data.