Occasional articles about what's coming in the next 12-24 months in health care IT.
Tuesday, April 5, 2016
Stopping Healthcare Data Breaches: the Greatest Challenge to Cybersecurity
Remember a time when the majority of health records were paper-based, riddled with illegible, handwritten reports, and couldn’t follow the patient from one care setting to another? No one wants to return to those days. But in a world where electronic health records (EHRs) are becoming the norm, the industry is dealing with an unwanted consequence that didn’t affect paper records – data breaches.
From 2008-2014, hospital EHR adoption increased from less than 10 percent to more than 70 percent.
The enormous amount of stored electronic patient data has enabled a number of powerful use cases involving analytics, coordination of care, population health management, and precision medicine. Computerized records are the main force driving the U.S. toward a learning health system, but they have also produced a growing, undesirable side effect: a huge increase in the number of health record breaches.
Unfortunately, the rapid adoption of EHR technology has outpaced healthcare IT organizations’ capabilities to protect data.
The Black Market Value of Health Data
A health record is estimated to be worth $500 - $2000 on the black market, compared to $1 - $50 for a credit card record. Due to the high value of medical records, Accenturepredicts that 1 in 13 patients will be the victim of medical identity theft by 2019.
Why are health records so valuable? One reason is that health records contain considerably more personal information than a credit report, enabling more sophisticated forms of fraud. Second, the lucrative practice of medical identity theft allows perpetrators to receive treatment, get prescription drugs, or file fraudulent insurance claims. Third, it takes longer to detect the use of stolen medical data than it does with credit card, banking, or other financial information.
This is an enormous problem because victims of medical identity theft do not have the same protection as victims of credit theft (typically limited to $50 but often waived entirely). While it’s hard to imagine that a patient can be held liable for fraudulent healthcare charges, it’s certainly true that sorting out the problem would be even harder than it is in the case of a stolen credit card. And even if the legal and financial headaches are sorted out, how does a patient remove the fraudulent data from their medical records to avoid confusion in future healthcare episodes or make sure that it doesn’t affect future employment?
Ransomware: a New Threat
While everyone agrees that cybersecurity should be a top priority for healthcare IT departments, it looks as if the problem will get worse before it gets better. The past several months have seen an increase in ransomware attacks –hacks where data is encrypted, rather than stolen, and only decrypted after anonymous payment is made.
The Fiscal Times reports that many ransomware attacks may be executed by hackers that were recently laid off by the Chinese government, so they’re obviously sophisticated and able to avoid detection.
For a complete description of how ransomware works, how to avoid an attack, and what to do if you’re a victim, check out Adam Alessandrini’s excellent resource, theRansomware Hostage Rescue Manual.
Earlier this year, President Obama signed the Cybersecurity Information Sharing Act(CISA) that includes specific language for healthcare as it was included in the omnibus spending bill. CISA opponents continue to express concerns about the bill’s privacy provisions when it comes to information sharing.
My next post will examine a new technology that may help improve the security infrastructure throughout the healthcare industry.