Healthcare data security used to be as simple as locking a file cabinet full of patient records. These days, the process of protecting the privacy of health information is much more complex.
The rise of electronic health record (EHR) systems has sparked a need for regulatory guidelines on digitally stored health information due to overwhelming increases in cybercrime. New data breaches are discovered on a regular basis, posing tremendous risk to the finances of healthcare providers and patients alike.
Security breaches can cause damage far beyond monetary loss, however. Victims of cybercrime also suffer damage to their reputations, while organizations use valuable time and talent investigating breaches, which takes away from monitoring and mitigating future attacks. This is to say nothing of what else health information may be used for.
Blackmail and Fraud
A 2016 Los Angeles Times article detailed an incident involving a Hollywood medical center that was forced to pay a $17,000 ransom via bitcoin to a hacker who seized control of its computer systems.
Hospital staff were unable to communicate electronically or access electronic health records, leaving the facility in a precarious position. Either pay the ransom, or risk being able to provide effective care for its patients.
The hospital paid the ransom before even contacting law enforcement for one simple reason; their ability to do their work often involves matters of life and death. Not paying the ransom and resuming normal service could severely damage the hospital’s reputation. The case mentioned in the article is just one of many in recent years.
Hackers don’t have to hold information for ransom to make money, however.
In 2015, insurer Anthem became the subject of the largest healthcare breach in history, with 78.8 million customers hacked. More than 113 million medical records were compromised in 2015 alone, according to a report from PBS.
The US Department of Health and Human Services keeps a record of all healthcare data breaches and instances where information from 500+ individuals has been compromised. So far this year, the industry has averaged nearly four data breaches per week.
The reason for this, is that patient data is invaluable and oftentimes more vulnerable than financial information, explains James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT).
"With credit cards, the money is insured. If the bank is FDIC-backed, most people who have their credit card numbers stolen won't actually lose the money. The bank makes up the difference," Scott said in an interview with Scientific American. "But with electronic health records, the reason that hospitals and insurance companies are such a big target, first, is because of the payoff."
Healthcare data sells at a high price. The average cost for health information is about $500 per patient, reports the InfoSec Institute. EHRs contain a wealth of valuable data including addresses, social security numbers, children's information, and job titles, all of which can be used to support fraud schemes or sold for use overseas.
For example, in 2011, Chinese cybercriminals stole two thousand patient X-rays from a hospital in Boston. According to the hospital’s Chief Information Officer, these kinds of items are often times sold to people in other countries who can’t otherwise pass health examinations required to obtain travel visas.
HIPPA and Healthcare Data Security
The safety of health data relies on compliance with the Health Insurance Portability and Accountability Act (HIPAA) and secure employment of EHRs. The Health Information Technology for Economic and Clinical Health (HITECH) Act was created by the federal government to demonstrate its support of rapid EHR adoption.
Standards for protecting health data arrived in the HIPAA Security Rule, which was created to safeguard individually identifiable digital health data while giving healthcare providers appropriate access to data they need.
As a result of HIPAA's privacy and security rules, breaches affecting patient privacy are met with more serious punishments. The Secretary of the Department of Health and Human Services determines penalty amounts based on the nature and extent of a violation and the amount of harm that resulted from it. According to the American Medical Association website, penalties can range anywhere from $100-$50,000 with an annual maximum of $1.5 million for the provider in question.
Healthcare data security is now an "all hands on deck" problem. Health information is valuable and vulnerable, and it's overwhelming for individual businesses to protect it on their own.
As more organizations share data, they must now work together to protect it. Creating interoperable networks that facilitate easy, safe transference of information involves collaboration among health information management professionals, researchers, clinicians, business administrators and other employees in the healthcare field.
Healthcare organizations and the government are combining their resources and expertise to improve health data security. The hope is that working together will result in stronger information protection, greater patient confidence, and appropriate punishments for cybercriminals.