Health IT and Electronic Health Activate your FREE membership today |  Log-in

Community Blog

Oct 15 2015   1:55PM GMT

Medical identity theft: Why healthcare data can be breached

Posted by: adelvecchio
Data breach, data breach security, Data security, health data security

RickKamGuest post by Rick Kam, CIPP/US, president and co-founder, ID Experts

Passengers on the London Underground are told to “mind the gap,” a warning to watch for the space between the train door and station platform. Healthcare organizations need to mind their own privacy and security gaps when it comes to protecting sensitive medical information.

According to the latest Gemalto NV Breach Level Index, the healthcare sector had the most data breaches in the first half of 2015, accounting for 21% of total incidents across all industries. Healthcare also had the largest number of records breached, at 84.4 million records, or 34%. The nature of these gaps has changed over the years — for instance, criminal attacks are now the leading cause of data breaches in healthcare, according to Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. Data breaches, particularly those caused by a criminal element, have caused medical identity theft to nearly double in five years.

The link between data Breaches and medical identity theft
According to the Wall Street Journal, medical identity theft is on the rise because of the surge in electronic health records and healthcare data breaches. But it’s more than the digitization of health records. Medical data is everywhere, due to a plethora of devices, from tablet computers to medical implants and even Fitbits and Apple watches that are recording health data and transmitting it over the Internet.

As noted in Forbes, healthcare data breaches are also on the rise because financial services and retail sectors have developed better strategies for protecting their data. This includes the use of EMV cards that use a chip instead of a magnetic stripe. As a result, many hackers are turning to the more vulnerable healthcare industry.

In addition, medical information is simply more profitable on the black market. The Dark Web offers cybercriminals multiple global marketplaces in which to sell stolen personal information, including healthcare records. According to the FBI, healthcare records can fetch as much as $60 to $70, as opposed to about $5 for credit cards.

This is all converging to create a perfect storm for getting this data. It’s more available, it’s worth more, and healthcare organizations aren’t as good at protecting the data because they haven’t had to be.

As Shantanu Agrawal, M.D. director of the Center for Program Integrity at the Centers for Medicare and Medicaid Services, told the Wall Street Journal, “Data breaches are increasing and becoming more common.”

Smart, strategic data protection
To protect patients against the harms of medical identity theft, the healthcare sector must step up its data protection measures. While there is no such thing as zero risk in today’s connected, digitized world, health plans, hospitals and other entities that hold medical information can mount a strategic defense against cybercriminals.

For instance, in an interview earlier this year, Dwayne Melancon, chief technology officer of Tripwire, recommended following the example of financial institutions that classify and segregate their data. “You…have to have good segregation of data,” he said, “where you make sure that only a select group of people can access sensitive data, that there are lots of controls around it.”

Melancon also cautioned healthcare organizations to spend their security dollars wisely. “A dollar spent on security doesn’t mean it’s worth spending,” he said. He added that security spending should be part of a risk framework, and not done to “just add window dressing.”

In other words, healthcare organizations must mind the gap.

Comment on this Post

Leave a comment:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: