Protected health information (PHI) must be kept secure, yet the number of data breaches in the health care vertical is ever-increasing, as are the costs of dealing with the aftermath of losing a patient’s PHI. The recent Ponemon Institute survey on the cost of data breaches, commissioned by IBM, revealed the average cost per lost or stolen record is $363 within the health care sector.
Are we approaching the era when one must perform due diligence on a health care provider’s security reputation and its ability to protect the information it collects? Will the price of health care include a subsidy for the provider’s insurance premium in the event of a data breach? When will health care providers realize that Health Insurance Portability and Accountability Act (HIPAA) compliance is not synonymous with secure?
Why Is Protected Health Information Targeted?
The health sector is considered low-hanging fruit by cybercriminals since the ecosystem in which the electronic medical records live would make Rube Goldberg proud. According to the Ponemon Institute’s study on medical identity theft, commissioned by the Medical Identity Fraud Alliance, medical credentials are most often stolen to obtain services, benefits and products.
The study detailed how 59 percent of the victims noted that their medical information was used to acquire treatment or services, and 56 percent had credentials used to obtain pharmaceuticals or medical equipment. In addition, 52 percent had their information used to receive government-provided benefits such as Medicare or Medicaid. And while identity theft is often associated with one’s fiscal footprint, only 14 percent noted fraudulent credit accounts were opened in their name. But perhaps most alarming is that 23 percent said their health care records were accessed or modified by outsiders.
Clearly, there is money to be made when protected health information is compromised. Indeed, health insurance credentials are selling for $20 each on the Dark Web. When we see millions of users have their information compromised, the financial motivation is abundantly clear.
As if this weren’t enough, those enterprising cybercriminals who compromise protected health information and are able to match it with other personally identifiable information (PII) are able to create in-depth dossiers, featuring details such as Social Security numbers, dates of birth, places of birth, etc. These dossiers enable the cybercriminal to market “fullz,” or “full identity kitz,” which sell for more than $1,000 each.
Consumers Can Help
Individual consumers can help themselves by inspecting each and every explanation of benefits they receive from an insurer, Medicare or Medicaid for questionable activity. In the event that a suspicious charge appears, contact the insurer or care provider; your medical identity may have been compromised.
Other anomalous activities that could indicate compromise has occurred include getting bills for unreceived medical services, fielding calls concerning a medical debt or being notified that a benefit limit has been reached.
Furthermore, when users create passwords to access their health care plan’s electronic medical records (EMRs), which contain their protected health information, they should ensure they use a separate and unique password for these accounts. If the provider utilizes two-factor authentication, take advantage of that option to further protect EMR access.
Health Care Providers and Plans Have a Mandate
Health care providers of all sizes, from the small, single-physician practice to the largest metro hospital, must embrace the mantra, “Don’t collect what you can’t protect.” The HIPAA compliance requirements have, unfortunately, given this sector a false sense of security, as detailed by a recent Dark Reading article that notes HIPAA is overly focused on patient privacy and ignores other aspects of security.
If the fact that 65 percent of the respondents in the Ponemon Institute’s medical identity theft study paid an average of $13,500 out of pocket to resolve the crime isn’t enough incentive to secure information, then the negative impact a breach can have on providers’ reputations should be. The same study indicated 48 percent would change health care providers following a data breach, and only about 50 percent believe their health care providers are able to adequately protect their PHI.
There is little that individuals can do to protect themselves from the lack of information security protocols within the health care ecosystem. For example, when a former physician within a health care system is able to retain information on 9,300 former patients on an unprotected laptop that is subsequently stolen, there is clearly room for improvement.
The Federal Trade Commission provides an excellent entry-level document, “Medical Identity Theft: FAQs for Health Care Providers and Health Care Plans,” which offers a good starting point on the need to consider protecting health information in a strategic manner. Clearly, health care and plan providers have a mandate to focus on security. In doing so, they will realize the return on investment both in the preservation of their revenue and in patient retention.