Breaches and identity theft involving medical data are on the rise. According to the Ponemon Institute, criminal attacks in health care have increased by 125 percent since 2010 and are now the leading cause of medical data breaches. The study also found that 91 percent of health care organizations have experienced at least one data breach, costing more than $2 million on average per organization. The American Action Forum estimated that medical breaches have cost the U.S. health care system more than $50 billion since 2009.

Medical records are extremely valuable to thieves, with such data sold for an average of $363 per record, which is much higher than for credit card data. Additionally, compromised bank cards can quickly be canceled, thus limiting the potential damage, whereas medical data cannot be so easily destroyed.

Medical Information Is Widely Shared

One factor that complicates the problem is that medical data passes through so many hands. Researchers at Carnegie Mellon University told The New York Times that a typical patient’s medical data can be accessed by at least 30 people and organizations, ranging from physicians to pharmacies, insurers and even pharmaceutical companies.

Whereas medical data was once stored in paper form, the increased use of electronic health records has vastly improved the ease with which data can be transmitted or accessed in storage. According to one recent report from the Information Security Media Group, 68 percent of patients stated they were not confident that their medical records were safe from loss or theft.

Use the Necessary Access Control Safeguards

Since not all medical breaches are caused by theft — they could be the result of an inadvertent error, for example — every organization should put in place stringent policies and procedures governing access to sensitive data. These measures should ensure that all staff are thoroughly trained in what is expected of them and implement sanctions for noncompliance.

This requirement is included in HIPAA’s security rule, which also mandates that organizations periodically assess the effectiveness of those policies and procedures. Employees and partner organizations should be required to report any suspected or actual breaches they encounter so that swift action can be taken.

Organizations should also ensure they have appropriate technical safeguards in place to protect medical data. Role-based access controls should be implemented by all health care organizations that need to access data, and they must be regularly reviewed and audited. Strong authentication mechanisms will help to ensure only authorized parties can access sensitive medical data.

Access control technologies will help organizations pinpoint all those who have accessed data that has been breached no matter what entity within the health care sector they work for. Given the number of entities that need to access medical information, all data being transmitted should be encrypted.

Monitoring Technologies Lock Down Medical Data

Monitoring technologies that are capable of capturing all user data across all networks and applications should be implemented, including applying advanced analytics capabilities to sift through data feeds to uncover actionable intelligence. The system should provide real-time alerts for suspicious behavior so that action can be taken as quickly as possible. It should also record all data flows so that there is a trail that can be followed in the event of a data breach.

Since medical data is so valuable to thieves and the potential damage to individuals is so great, it is vital that controls and safeguards are in place to ensure data is protected throughout the health care ecosystem. This will make it much easier to investigate which party was responsible for the breach and therefore which organization is responsible for notifying the individuals whose data has been exposed.

With the financial impact of a breach so high, it is important that the party responsible be quickly and accurately identified.

Read the complete IBM research report: Security trends in the healthcare industry

More from Data Protection

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Will the 2.5M Records Breach Impact Student Loan Relief?

Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…