2014 was a year defined by cyberattacks. Major hacks at Home Depot, Target, and Sony left millions of consumers’ data exposed and revealed troves of embarrassing industry secrets. But if last year was the year of the data breach, 2015 might be the year the healthcare hack takes center stage.
While much ado has been made over compromised data at major retailers and financial institutions, much less has been reported concerning data security in the healthcare industry. This oversight should raise flags, because healthcare has proven far less secure than even the beleaguered retail and financial sectors.
“The vulnerability to medical data is huge, there’s a huge potential cost to breaches,” says Daniel Fabbri, CEO of Maize Analytics, a software developer that helps streamline HIPAA audits. “And there’s expectation that the curve for the number of breaches is going to increase over time.”
2014 already saw record growth in both the number of breaches and the number of stolen documents resulting from those breaches, according to the Identity Theft Resource Center’s annual Breach Reports. In fact, breaches at healthcare institutions accounted for over 42 percent of similar incidents in all fields last year, which is more than the total number of breaches in the business and banking/finance sectors combined.
And the boom in stolen medical data shows no signs of losing steam. Experian’s Data Breach Industry Forecast states that it also expects breaches in the healthcare sector to increase. The report also notes that the security systems the industry has in place are not as resilient as those in the finance and retail sectors. So what are we going to do about it?
The lure of your health data
Part of the reason breaches in the healthcare sector have received less attention than those affecting other industries is because they have typically resulted in fewer stolen records. But this has begun to change as the economics of cyberattacks shift, making stealing from hospitals more attractive to would-be data thieves.
Credit card information has become far less valuable as the black market has flooded with credit card numbers over the past several years. Medical records often contain more valuable information and allow criminals much longer lead times to deploy stolen information before they are stopped, says Ann Patterson of the Medical Identity Fraud Alliance.
“The word that comes to mind is ‘shattered.’”
Patterson also sees the industry’s problem in part as a cultural one. “You go to a bank, you see a poster about [protecting your financial information]. When was the last time you went to a hospital or a doctor’s office and saw a poster about protecting your medical information? It’s just not in the forefront for us as much,” Patterson said.
Research bears out Patterson’s concerns over the lack of awareness of security issues in the healthcare industry. According to an October White Paper from the CSID, 85 percent of small hospitals feel their systems limit the risk of a data breach, yet one third of those hospitals spend 10 percent or less of their IT budgets on protecting patient’s data.
It should go without saying that lost or stolen medical data can have a major impact on its victims. Medical Identity Theft now claims roughly 1.8 million victims in the U.S. every year, according to the Experian report. And the results can be devastating.
“The word that comes to mind is ‘shattered’,” said Barbara Filkins of the SANS Institute in an email to the Daily Dot when asked about the impact of identity theft on an affected individual. “You hear about the individuals who have been compromised, who lose the ability to get care or financial credit, who can’t reverse the changes to their record, who are refused a job, who have children’s services come after their baby—the list goes on.”
It gets worse before it can get better
There are a number of factors that suggest Healthcare breaches are going to be even more common in the near future.
Jan. 1, 2015 was the deadline for healthcare organizations to implement digital record keeping in order to continue receiving funding from Medicaid and Medicare under the American Recovery and Reinvestment Act of 2009. This provision may have had the unintended consequence of pushing medical organizations, particularly smaller ones, to transition to digital record keeping before ensuring proper safeguards were in place to protect the newly available data.
“I would think that crime rings will be shifting to the healthcare sector.”
Patterson also believes the Affordable Care Act could be a factor in a potential uptick in data breaches, “simply because way more people now are going to be insured, which means there are way more records.”
Healthcare providers may also be targeted more frequently as security continues to improve in other sectors, says Patterson. She expects data thieves to persist in preying on healthcare institutions at a disproportionate rate because of measures put in place in more technologically savvy industries, like financial services, that discourage hackers.
Until hospitals implement better security, she says, “I would think that crime rings will be shifting to the healthcare sector. What we see, what we have always seen with criminals, is they jump channels. Whichever channel is easiest for them to [steal from].”
Despite all these disadvantages, most believe healthcare will eventually find solutions to its security and privacy woes. “The first step is awareness but the second step is learning how to take that awareness,” says Filkins, and “develop best practices around privacy and security that can be integrated into the needed workflows, and then apply them. This latter step is going to take time but has to happen.”
Photo via Fotos GOVBA/Flickr (CC By 2.0)