It seems that nary a week goes by without a headline running rampant on the internet and in print detailing yet another healthcare entity that experienced a data breach. The industry as a whole is twice as likely to experience a data breach, and already sees 3.4 times more security episodes than other industries. As we evolve, globally, into a society that increasingly relies on digital technology, keeping all those precious ones and zeroes secure becomes an important task.
It used to be that identity thieves targeted your bank accounts and credit cards. All you had to do was simply not reply to that email from a foreign prince, right? Even if your credit cards are compromised it is easy enough to get a new card. Yes, it’s a pain in the rear to go through the rigmarole, but the point being that the long-term impact of “old school” identity theft is limited in today’s world. Once the alarms are sounded and flags raised about potential fraud that specific account ceases its duress rather quickly. Of course, it used to be much more difficult to identify and correct, much like medical fraud at present.
A new type of identity theft
The impermanence of financial data is one reason that hackers have turned their attention to patient health data. While you can trade in an old credit card for a shiny new one, the same isn’t possible with a medical diagnosis. The ne’er-do-wells who purchase and use stolen patient data typically leverage it to acquire prescription medications or even someone else’s insurance for themselves. This could be a recipe for disaster for the victim.
As if that wasn’t bad enough, medical records often include additional private information, such as social security number, home address, relatives, place of employment, and financial data. We’re basically looking at a one-stop shop for all of someone’s most critical information. A single record can be sold on the black market for $50 or more, which makes recent data breaches that include millions of records very lucrative for hackers.
IT security matters in healthcare
Making matters even worse, the IT infrastructure of many healthcare providers and insurers leaves much to be desired vis-à-vis what is available. This is a major reason why the U.S. Government allocated $17B for the healthcare industry in 2009 as part of the American Recovery & Reinvestment Act (ARRA).
Part and parcel to this was an emphasis on electronic medical records, which forced many facilities to update their hardware. However, this has yet to penetrate the entire industry and places remain that rely on outdated, and therefore more vulnerable, legacy systems.
Even companies with up-to-date infrastructure are at risk though. Six years after the ARRA set the wheels of upgrades in motion, the healthcare industry continues to lag behind other industries in terms of internal software security and practices. If a breach does occur, it may not be automatically detected. In fact, it could take months or years to recognize that a breach occurred and what was taken.
Employees function as an important variable in the data breach equation. Malicious conduct certainly occurs, but more common is simple negligence, often unintentional, that leads to breaches. This could be from stolen devices or computers, or weak passwords.
A recent study found that in 2014, the healthcare industry accounted for 42% of major data breaches in the U.S. Given the value of this type of data on the black market, those numbers are not likely to go down anytime soon.
A disturbing trend
A quick look at the Department of Health & Human Services HIPAA enforcement data shows almost a constant increase in the number of reported HIPAA related incidents, violations, and resolutions. With figures extending back as far as 2003, there were only two calendar years in the period where the total number of incidents declined from the previous year.
It’s not a stretch to think of medical records that get into the wrong hands as Pandora’s Box; once opened it’s impossible to get everything back in the box as it was previously. Tracking what happens to patient medical records after a breach is another challenge, and adds a layer of complexity to the entire situation. Companies need to practice constant vigilance in anticipating threats and securing their patient data.
Hope for the future
All of this seems pretty grim, right? Fortunately, it is possible to be proactive in the war against hackers. This means upgrading IT infrastructure and procedures, like password complexity, to conform to current security best practices, and limiting partnerships to external vendors that are HIPAA compliant. For example, at Plum Voice we take data security seriously and our DEV platform underwent rigorous audits to achieve HIPAA compliance.
Another useful practice is employee training about the impact of data breaches on the healthcare industry to reinforce those policies. Pretty much everything requires a password these days so if you’re going to force employees to change theirs at regular intervals it’s best to make sure they understand why.