By Frederik Mennes, Sr. Market & Security Strategy Manager, Vasco Data Security
The integration of technology within the healthcare sector continues to create seismic changes in how individuals receive medical care. Yet in their rush to adopt technology designed to improve the consumer’s experience, organisations within the healthcare industry face the very real threat of sensitive patient data ending up in the hands of cybercriminals.
When it comes to the value of stolen data within the criminal underground, the more personal the better – and it does not come any more personal than protected health information (PHI) included in medical records. In the hands of criminals, PHI facilitates all types of crimes including prescription fraud, identity theft and the provision of medical care to a third party in the victim’s name.
Despite its compromised state, there is more value attached to healthcare-related data than other types of personally identifiable information. A stolen credit card, for example, has a finite life because once the customer discovers fraud they cancel the card. PHI, on the other hand, contains government-issued identity numbers such as national insurance numbers, as well as medical and prescription-related data that are permanent.
How much does the public know about breaches?
While the tracking and reporting of healthcare breaches varies by country, the United States Office of Civil Rights (OCR), part of the U.S. Department of Health and Human Services, publishes a “wall of shame.” Pursuant to the Health Information Technology for Economic and Clinical Health Act, the wall details breaches of unsecured health information affecting 500 or more individuals. According to the OCR report, in 2015 alone, 268 breaches accounted for the loss of over 113 million records. While some of the breaches reported involved unauthorised access or exposure, the OCR reported the breach of 111 million of those records as a hacking or IT incident.
The long-term impact of medical-related data breaches
In a 2015 survey, the Ponemon Institute reported several important findings related to this issue, including:
- Medical identity theft generates significant costs. 65% of medical identity theft victims included in the study paid an average of $13,500 to resolve the crime (Payments made to healthcare providers, identity service providers or legal counsel).
- Healthcare providers rarely notify the victim. On average, victims learn about the theft of their data more than three months following the crime. 30% do not know when they became a victim.
- Consumers expect healthcare providers to adopt a proactive approach to preventing and detecting medical identity theft. 79% of survey participants state that is important for healthcare providers to ensure the privacy of their records. If their medical records were lost or stolen, 48% say they would consider changing healthcare providers.
Estimates regarding the cost to remediate a healthcare breach, which includes the investigation of the breach; the implementation of measures to prevent future breaches; notification of victims; and provision of identity-theft protection and repair services vary widely. The associated regulatory fines and penalties are, on average, between $200 and $400 per record.
Security cannot remain an afterthought. Breaches negatively impact the patient and the broader healthcare ecosystem. While large-scale breaches occur mostly in United States, where increased regulatory oversight drives transparency, the EU, as evidenced by the progression of the General Data Protection Act, continues to take steps to increase the level of transparency regarding breaches.
Criminals count on gaps within an organisation’s authentication security framework. Further regulators with responsibilities related to data privacy and security, driven in large part by elected officials and patients affected by breaches, will continue to set standards that create the need for enhanced security.