Why Are Healthcare Breaches on the Rise? (Part 1)
The recent announcement of a security breach of millions of healthcare records has raised yet another alarm in the security world. Is healthcare going to be the new target (no pun intended) for major breaches?
The notorious bank robber Willie Sutton was once asked, “Why do you rob banks?” He replied, “Because that is where the money is!” The “Willie Sutton” of today doesn’t carry a gun; he carries a keyboard. Criminal attacks on healthcare have increased more than 100 percent since 2010.* Why is that? Simple… that is where the money is! Recent healthcare regulations have contributed to the visibility of breaches, similar to the impact of breach notification laws on personally identifiable information (PII).
In 2009 the HITECH Act provided billions of dollars in financial incentives to encourage companies to adopt electronic healthcare records (EHR) technology. Tougher breach notification requirements were tied to the act, and in 2013 the Omnibus Rule provided additional definition. The disclosure standard changed from “harm” to a “risk” view, included business associates and defined “willful neglect.” The combination of these federal regulations has brought more awareness to healthcare breaches and greater opportunities for breaches to occur.
The Affordable Care Act is converting all the healthcare records to EHR. In the past, to gain access to my healthcare records you needed to break in to my doctor’s office and rummage through the vast number of patient files to find my file. Then you needed the best translation experts in the world to break the encryption of my doctor’s handwriting. That has all changed with EHR. Now, from the comfort of the couch, an attacker anywhere in the world can hack into a system to gain access to an electronic healthcare record.
More than 50 percent of reported breaches in the past year are related to healthcare. Most healthcare entities and business associates are still focused on becoming compliant with the regulations. What has become very evident in the financial world is that “compliant” does not mean “secure.” Healthcare organizations do not have the same experiences as the financial sector of being subject to organized crime and cybercriminal attacks. In healthcare, the investments have been focused on patient care, not on securing the information (don’t take me wrong – I am all for quality care).
We normally think of credit card information in relation to the black market and financial gain. Would it surprise you to know that you can buy a credit card for $1 on the black market? What is more surprising is that a stolen healthcare identity will provide you a 50x return!** The value for the cybercriminal is not just in the return on the investment; the value of a healthcare record lasts longer. A stolen credit card number can be cancelled in minutes, but you can never undo a healthcare record breach. If my credit card is stolen I can simply replace the card. If my health information is stolen it cannot be retrieved or cancelled. An EHR contains enough information to build a full identity including personal information, medical history, prescriptions, financial records, personal contacts and diagnoses information. The high value of health information makes it attractive to attackers, and looking forward we can expect this industry to be a major target.
This isn’t a case of finding out who is taking Prozac for kicks. Identity theft for healthcare records is a lucrative business and can have dire consequences for the patient. If a patient’s medical record is changed, it can result in very dangerous and possibly life threatening consequences for emergency care if the patient is given the wrong blood type or has unknown allergies.
Healthcare information can be sold on the black market and used to fill prescriptions or make false medical claims to obtain free medical care. For instance, the cost of OxyContin is more than $40 per pill on the black market. Using a falsified health insurance card, an individual can receive expensive medical prescriptions or procedures without paying. Of course someone has to pay for it. That’s typically the health insurance company, but the additional cost is passed on to each of us through higher insurance rates.
In my next post I will explore why securing the records can be challenging, and what needs to be done to protect patients’ information.
* Fourth Annual Benchmark Study on Patient Privacy & Data Security Ponemon Institute© Research Report, Publication Date: March 2014
** EMC Report on Cybercrime and Healthcare industry