Protected health information (PHI) must be kept secure, yet the number of data breaches in the health care vertical is ever-increasing, as are the costs of dealing with the aftermath of losing a patient’s PHI. The recent Ponemon Institute survey on the cost of data breaches, commissioned by IBM, revealed the average cost per lost or stolen record is $363 within the health care sector.

Are we approaching the era when one must perform due diligence on a health care provider’s security reputation and its ability to protect the information it collects? Will the price of health care include a subsidy for the provider’s insurance premium in the event of a data breach? When will health care providers realize that Health Insurance Portability and Accountability Act (HIPAA) compliance is not synonymous with secure?

Why Is Protected Health Information Targeted?

The health sector is considered low-hanging fruit by cybercriminals since the ecosystem in which the electronic medical records live would make Rube Goldberg proud. According to the Ponemon Institute’s study on medical identity theft, commissioned by the Medical Identity Fraud Alliance, medical credentials are most often stolen to obtain services, benefits and products.

The study detailed how 59 percent of the victims noted that their medical information was used to acquire treatment or services, and 56 percent had credentials used to obtain pharmaceuticals or medical equipment. In addition, 52 percent had their information used to receive government-provided benefits such as Medicare or Medicaid. And while identity theft is often associated with one’s fiscal footprint, only 14 percent noted fraudulent credit accounts were opened in their name. But perhaps most alarming is that 23 percent said their health care records were accessed or modified by outsiders.

Read the complete IBM X-Force report: Security trends in the healthcare industry

Clearly, there is money to be made when protected health information is compromised. Indeed, health insurance credentials are selling for $20 each on the Dark Web. When we see millions of users have their information compromised, the financial motivation is abundantly clear.

As if this weren’t enough, those enterprising cybercriminals who compromise protected health information and are able to match it with other personally identifiable information (PII) are able to create in-depth dossiers, featuring details such as Social Security numbers, dates of birth, places of birth, etc. These dossiers enable the cybercriminal to market “fullz,” or “full identity kitz,” which sell for more than $1,000 each.

Consumers Can Help

Individual consumers can help themselves by inspecting each and every explanation of benefits they receive from an insurer, Medicare or Medicaid for questionable activity. In the event that a suspicious charge appears, contact the insurer or care provider; your medical identity may have been compromised.

Other anomalous activities that could indicate compromise has occurred include getting bills for unreceived medical services, fielding calls concerning a medical debt or being notified that a benefit limit has been reached.

Furthermore, when users create passwords to access their health care plan’s electronic medical records (EMRs), which contain their protected health information, they should ensure they use a separate and unique password for these accounts. If the provider utilizes two-factor authentication, take advantage of that option to further protect EMR access.

Health Care Providers and Plans Have a Mandate

Health care providers of all sizes, from the small, single-physician practice to the largest metro hospital, must embrace the mantra, “Don’t collect what you can’t protect.” The HIPAA compliance requirements have, unfortunately, given this sector a false sense of security, as detailed by a recent Dark Reading article that notes HIPAA is overly focused on patient privacy and ignores other aspects of security.

If the fact that 65 percent of the respondents in the Ponemon Institute’s medical identity theft study paid an average of $13,500 out of pocket to resolve the crime isn’t enough incentive to secure information, then the negative impact a breach can have on providers’ reputations should be. The same study indicated 48 percent would change health care providers following a data breach, and only about 50 percent believe their health care providers are able to adequately protect their PHI.

There is little that individuals can do to protect themselves from the lack of information security protocols within the health care ecosystem. For example, when a former physician within a health care system is able to retain information on 9,300 former patients on an unprotected laptop that is subsequently stolen, there is clearly room for improvement.

The Federal Trade Commission provides an excellent entry-level document, “Medical Identity Theft: FAQs for Health Care Providers and Health Care Plans,” which offers a good starting point on the need to consider protecting health information in a strategic manner. Clearly, health care and plan providers have a mandate to focus on security. In doing so, they will realize the return on investment both in the preservation of their revenue and in patient retention.

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read