Protected health information (PHI) must be kept secure, yet the number of data breaches in the health care vertical is ever-increasing, as are the costs of dealing with the aftermath of losing a patient’s PHI. The recent Ponemon Institute survey on the cost of data breaches, commissioned by IBM, revealed the average cost per lost or stolen record is $363 within the health care sector.

Are we approaching the era when one must perform due diligence on a health care provider’s security reputation and its ability to protect the information it collects? Will the price of health care include a subsidy for the provider’s insurance premium in the event of a data breach? When will health care providers realize that Health Insurance Portability and Accountability Act (HIPAA) compliance is not synonymous with secure?

Why Is Protected Health Information Targeted?

The health sector is considered low-hanging fruit by cybercriminals since the ecosystem in which the electronic medical records live would make Rube Goldberg proud. According to the Ponemon Institute’s study on medical identity theft, commissioned by the Medical Identity Fraud Alliance, medical credentials are most often stolen to obtain services, benefits and products.

The study detailed how 59 percent of the victims noted that their medical information was used to acquire treatment or services, and 56 percent had credentials used to obtain pharmaceuticals or medical equipment. In addition, 52 percent had their information used to receive government-provided benefits such as Medicare or Medicaid. And while identity theft is often associated with one’s fiscal footprint, only 14 percent noted fraudulent credit accounts were opened in their name. But perhaps most alarming is that 23 percent said their health care records were accessed or modified by outsiders.

Read the complete IBM X-Force report: Security trends in the healthcare industry

Clearly, there is money to be made when protected health information is compromised. Indeed, health insurance credentials are selling for $20 each on the Dark Web. When we see millions of users have their information compromised, the financial motivation is abundantly clear.

As if this weren’t enough, those enterprising cybercriminals who compromise protected health information and are able to match it with other personally identifiable information (PII) are able to create in-depth dossiers, featuring details such as Social Security numbers, dates of birth, places of birth, etc. These dossiers enable the cybercriminal to market “fullz,” or “full identity kitz,” which sell for more than $1,000 each.

Consumers Can Help

Individual consumers can help themselves by inspecting each and every explanation of benefits they receive from an insurer, Medicare or Medicaid for questionable activity. In the event that a suspicious charge appears, contact the insurer or care provider; your medical identity may have been compromised.

Other anomalous activities that could indicate compromise has occurred include getting bills for unreceived medical services, fielding calls concerning a medical debt or being notified that a benefit limit has been reached.

Furthermore, when users create passwords to access their health care plan’s electronic medical records (EMRs), which contain their protected health information, they should ensure they use a separate and unique password for these accounts. If the provider utilizes two-factor authentication, take advantage of that option to further protect EMR access.

Health Care Providers and Plans Have a Mandate

Health care providers of all sizes, from the small, single-physician practice to the largest metro hospital, must embrace the mantra, “Don’t collect what you can’t protect.” The HIPAA compliance requirements have, unfortunately, given this sector a false sense of security, as detailed by a recent Dark Reading article that notes HIPAA is overly focused on patient privacy and ignores other aspects of security.

If the fact that 65 percent of the respondents in the Ponemon Institute’s medical identity theft study paid an average of $13,500 out of pocket to resolve the crime isn’t enough incentive to secure information, then the negative impact a breach can have on providers’ reputations should be. The same study indicated 48 percent would change health care providers following a data breach, and only about 50 percent believe their health care providers are able to adequately protect their PHI.

There is little that individuals can do to protect themselves from the lack of information security protocols within the health care ecosystem. For example, when a former physician within a health care system is able to retain information on 9,300 former patients on an unprotected laptop that is subsequently stolen, there is clearly room for improvement.

The Federal Trade Commission provides an excellent entry-level document, “Medical Identity Theft: FAQs for Health Care Providers and Health Care Plans,” which offers a good starting point on the need to consider protecting health information in a strategic manner. Clearly, health care and plan providers have a mandate to focus on security. In doing so, they will realize the return on investment both in the preservation of their revenue and in patient retention.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…