The scale and intensity of healthcare related cybercrime is a critical and growing threat to the U.S. medical system. In the past year, organizations such as UCLA Health Systems, Anthem, Premera, and CareFirst have announced major breaches, bringing the five year total of compromised patient records to over 143 million or 45 percent of the U.S. population, according to data from the U.S. Department of Health and Human Services. When nearly half of the U.S. population has been a victim of a data security breach, it is an epidemic that can and will hit any healthcare provider.
To put it simply: Cybercrime is the new healthcare crisis.
The reported figures likely understate the severity of the problem, as some organizations may not yet be aware they have been breached and others may not have reported the incident. According to the Health Information Management Society (HIMSS), 2015 Cybersecurity Survey, 64 percent of healthcare organizations have experienced an external cyber-attack during the last twelve months. The Identity Theft Resource Center, which tracks data breaches across industries, reports that more data breaches happen in the medical and healthcare industry now than in any other sector, accounting for 46 percent of the reported breaches in 2014.
These attacks not only create administrative and public relations crises for many healthcare providers and distract from their core mission of providing quality patient care, but they also consume precious financial resources at a time of rising healthcare costs. The Ponemon Institute, a well-regarded security industry research firm, estimates cyberattacks against hospitals, clinics and doctors cost the U.S. healthcare industry over $6 billion a year.
Cybercriminals are targeting the healthcare sector because patient information–such as social security number, insurance ID number, credit card number, address, and medical history– is a tremendously valuable asset that can be easily used to commit fraud, financial theft, and identity compromise. In addition, medical data has more lasting value than other types of information. A stolen credit card can be cancelled and fraudulent charges disputed, but resolving medical identity theft is not as straightforward. The black market rate for financial information and other personally identifiable data runs from tens to hundreds of dollars per record. Medical data commands even higher rates, making a healthcare data breach extremely lucrative for hackers.
Healthcare breaches can also impact healthcare outcomes. If a stolen medical or insurance identity is used to receive care, the new data could alter or become integrated into the existing patient record and result in inaccurate diagnoses. Once discovered, medical privacy laws also make it difficult to disentangle fraudulent medical details from legitimate information. Ponemon Institute research finds that victims of medical identity theft spend an average of $13,500 to restore their healthcare records, remedy their credit and reverse fraudulent claims; unfortunately less than one-third of healthcare providers provide any form of assistance to patients whose data has been compromised.
In addition to the challenges of the current landscape, new IT initiatives by the healthcare industry, promising to enhance the quality of care, also add information security risk. A growing number of nurses and doctors are using Wi-Fi-enabled communication devices and tablet computers instead of clipboards and sheets of paper. Likewise, internet-connected devices have been introduced to patient bedsides in various forms– fetal monitors, electrocardiograms, temperature monitors, or blood glucose monitors– and are increasingly used in remote care. These devices– and even more advanced emerging Internet of Things (IoT) technologies– face the same security risks as networked computers, but often have not been designed to the same information security standards.
U.S. healthcare providers do an extraordinary job providing patient care, but the scale, scope, and sophistication of cybercrime is an epidemic outside of the expertise of most organizations. Given today’s reality, the healthcare industry should take a page from financial services, and implement more robust and automated fraud detection technologies to rapidly detect breaches, and more consumer friendly remediation procedures once a breach occurs.
If large national providers can be breached, the sobering reality is any healthcare organization collecting, storing, and transmitting patient data – from the smallest physician practices, clinics, and labs to the largest hospitals, HMOs, PPOS, and insurers – is vulnerable.