Why the economics of data breaches in the US healthcare industry are making medical records big game

By John Gunn, VP of Corporate Communications, VASCO Data Security. The double edged sword of the healthcare industry joining the digital age is, of course, obvious; the speed...

By John Gunn, VP of Corporate Communications, VASCO Data Security.

The double edged sword of the healthcare industry joining the digital age is, of course, obvious; the speed of access to critical data makes both clinical and management practices more efficient and cost effective but has opened up the threat of cyber-attacks. What few people anticipated was how attractive infiltrating medical records could be.

The current landscape of cyber-crime has been dominated with protecting sensitive commercial data and personal financial information. Data and banking security is far from water tight from infiltration but measures have been, and continue to be, in place to mitigate losses and reduce the risk.

Think about it, if your credit card information is stolen then you can simply cancel the card and get a new one. Most of us will have some form of insurance to diminish the financial impact of any theft and there is little backlash to deal with.

Private companies on the other hand have significant sums of capital that they reserve to employ first class security systems to protect their data. The investment and know-how exists to understand the importance of operating a secure environment in which to undertake their business. They too may be paying hefty insurance premiums to protect against an inevitable breach, in whatever form this may take.

The healthcare industry, particularly in the public sector is, sadly, lagging far behind in both the right mindset and budget.

They also have to deal with the very real fact that the information they store and maintain is exceptionally valuable on the black market. Incidences of cyber-attacks on the healthcare industry are growing at an exponential rate with criminals realising both the value of the data they can obtain and the ease with which they can do so. Protected healthy information, or PHI, is big business.

Data doesn’t come more sensitive than PHI and with it criminals can access huge amounts of additional data making identity theft more simple. They can access medical care for third parties and even operate large rings of prescription fraud. With PHI the rewards, for less effort, are huge.

Currently, the price of a stolen credit card on the black market is anywhere between $0.50 and $5.00 whereas the health records of an individual can fetch between $10.00 and $50.00. What makes the latter more valuable is that, unlike a credit card, there are features of the PHI that cannot be changed, cancelled or revoked; information such as national insurance numbers, medical history and prescription information.

The bottom line is medical records are up to 20 times more valuable than banking records, and are a lot more vulnerable to being stolen.

Research conducted by the Ponemon Institute in 2015 concluded that identity theft via medical records costs significantly more to resolve than if the source of the breach were from another source. The study was undertaken in the USA and the average cost paid by respondents was $13,500. This sum included legal expenses, paying healthcare providers and using specialist identity fraud consultants to help them resolve the situation.

Of course we can’t put a true value on the theft of such personal medical information and the consequences when these fall into the wrong hands.

Healthcare providers, on the other hand, can. A conservative estimate of the fines and penalties levied on the industry including investigation, notifying the victim (if they actually do!), implementing measures to prevent further outbreak and updating and repairing their systems comes in at around $300 per record.

Worryingly the same report also discovered that victims of theft of PHI are rarely notified by the healthcare providers themselves. In fact, the typical incidence of identity theft of this nature was discovered by the victim themselves and, on average, at least three months following the initial breach; almost one in three of those surveyed could not determine exactly when a breach occurred.

These findings were not exactly a revelation but went quite some way at the time to underlining the urgent need for the healthcare industry to reconsider its investment and attitude towards the security of the data it held on its consumers’ behalf.

As patients and consumers in this sector we place a great deal of importance in the reliability of the data security employed by those charged with its safety. Almost four out of five of us believe that it is important and just under half of those surveyed said that a breach of their data would make them consider switching their healthcare provision.

The standard of data security within the healthcare sector needs to reflect the importance of the vital role they play and be as critical on the agenda as the standards of patient care. Criminals, just like illness and infection, will exploit any vulnerability of a network. And, as we move towards a more integrated era of the digital age with information being shared across geographical regions such as the European Union (and the United Kingdom, post Brexit), technology must be robust enough to prevent data breaches in this sector.

In this article

Join the Conversation