March 3, 2016 By Fran Howarth 3 min read

Breaches and identity theft involving medical data are on the rise. According to the Ponemon Institute, criminal attacks in health care have increased by 125 percent since 2010 and are now the leading cause of medical data breaches. The study also found that 91 percent of health care organizations have experienced at least one data breach, costing more than $2 million on average per organization. The American Action Forum estimated that medical breaches have cost the U.S. health care system more than $50 billion since 2009.

Medical records are extremely valuable to thieves, with such data sold for an average of $363 per record, which is much higher than for credit card data. Additionally, compromised bank cards can quickly be canceled, thus limiting the potential damage, whereas medical data cannot be so easily destroyed.

Medical Information Is Widely Shared

One factor that complicates the problem is that medical data passes through so many hands. Researchers at Carnegie Mellon University told The New York Times that a typical patient’s medical data can be accessed by at least 30 people and organizations, ranging from physicians to pharmacies, insurers and even pharmaceutical companies.

Whereas medical data was once stored in paper form, the increased use of electronic health records has vastly improved the ease with which data can be transmitted or accessed in storage. According to one recent report from the Information Security Media Group, 68 percent of patients stated they were not confident that their medical records were safe from loss or theft.

Use the Necessary Access Control Safeguards

Since not all medical breaches are caused by theft — they could be the result of an inadvertent error, for example — every organization should put in place stringent policies and procedures governing access to sensitive data. These measures should ensure that all staff are thoroughly trained in what is expected of them and implement sanctions for noncompliance.

This requirement is included in HIPAA’s security rule, which also mandates that organizations periodically assess the effectiveness of those policies and procedures. Employees and partner organizations should be required to report any suspected or actual breaches they encounter so that swift action can be taken.

Organizations should also ensure they have appropriate technical safeguards in place to protect medical data. Role-based access controls should be implemented by all health care organizations that need to access data, and they must be regularly reviewed and audited. Strong authentication mechanisms will help to ensure only authorized parties can access sensitive medical data.

Access control technologies will help organizations pinpoint all those who have accessed data that has been breached no matter what entity within the health care sector they work for. Given the number of entities that need to access medical information, all data being transmitted should be encrypted.

Monitoring Technologies Lock Down Medical Data

Monitoring technologies that are capable of capturing all user data across all networks and applications should be implemented, including applying advanced analytics capabilities to sift through data feeds to uncover actionable intelligence. The system should provide real-time alerts for suspicious behavior so that action can be taken as quickly as possible. It should also record all data flows so that there is a trail that can be followed in the event of a data breach.

Since medical data is so valuable to thieves and the potential damage to individuals is so great, it is vital that controls and safeguards are in place to ensure data is protected throughout the health care ecosystem. This will make it much easier to investigate which party was responsible for the breach and therefore which organization is responsible for notifying the individuals whose data has been exposed.

With the financial impact of a breach so high, it is important that the party responsible be quickly and accurately identified.

Read the complete IBM research report: Security trends in the healthcare industry

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today