Organizations that have discovered the value of electronic health records (EHR) are learning—sometimes the hard way—that the security of those records is important, too.
As it turns out, with all the value EHR provides to a company, it provides a lot of value to hackers as well. For example, while the going price for a “hot” credit card number on the black market is about $5, a “hot” medical record goes for about $50, according to Arthur Allen in Politico.
Healthcare records are so valuable because they can’t be turned off as easily as credit cards, reports CBS News. “If you lose your credit card, we all know you call ‘1-800 I lost my card’ and they turn your card off,” Dr. Robert Wah, president of the American Medical Association and chief medical officer at CSC, a healthcare technology company, said on a recent broadcast. “There is no ‘1-800 I lost my health record’ and you can’t turn off all that rich information that’s in your health record.”
Consequently, like robbers who target banks because that’s where the money is, hackers are targeting health records. And as with security in general, studies are finding that criminals, rather than accidents or disgruntled insiders, are now becoming the primary source for healthcare data loss.
“45 percent of all data breaches in healthcare are due to criminal activity such as cybercriminal and nation-state hacks, malicious insiders, and physical theft, a 125 percent increase in such activity over the past five years,” writes Kelly Jackson Higgins in Dark Reading, citing a recent Ponemon Institute study.
Major insurers such as Anthem, Premera, and CareFirst BlueCross BlueShield, as well as the Community Health Systems hospital chain, have been hacked in the past year, compromising about 95 million patient records, writes Allen.
Stealing personal health information (PHI) means that people can use someone else’s identification, insurance policy, and more to buy medical care for themselves, or to file false claims for reimbursement. “Medical identity theft increased by a whopping 21.7 percent in 2014,” writes Sara Peters in Dark Reading, citing a different Ponemon Institute study.
“Crooks use medical records for identity theft, medical insurance fraud and plain old financial thievery,” Allen writes. The people whose PHI gets stolen then get dinged for the bill, or the medical provider gets stuck with it. 65 percent of the victims had to pay an average of $13,450 each to resolve the issue, the study found. Some people also lost career opportunities and even their jobs, Peters adds.
But the problem with stolen PHI goes beyond mere money. People can find incorrect information in their health records that can end up causing them problems down the line.
“The majority of people still don’t understand the serious risk of medical identity theft,” writes Rick Kam of ID Experts, a healthcare security consulting firm, in Healthcare IT News. “They don’t understand that while a credit card can be quickly and easily replaced, their medical identity can take years to be restored. When their records become polluted, patients can be misdiagnosed, mistreated, denied much needed medical services, or billed for services not rendered. Medical identity theft can literally kill you.”
Other Politico findings include:
- Each hacked record could cost a company around $20 in legal costs and credit protection.
- Hacks already cost the healthcare industry about $6 billion a year.
- An estimated $2 billion worth of health-related cyber insurance was sold last year, and the market is growing at 20 to 25 percent a year.
Despite all the thefts in the past year and resulting costs, some CIOs say they have trouble convincing management that EHR security is needed. In addition, some healthcare organizations say they can’t afford to implement the kind of security they need.
Experts cited by Allen said healthcare companies should be spending at least 10 percent of their information technology budgets on security, while companies that are just getting started should be spending up to 40 percent. But the industry average is about 3 percent, he writes, leading to expenses such as the high cost of insurance.
Moreover, losing customers’ EHR can result in losing them as customers as well, Peters warns. “Healthcare providers should take note, because about half of respondents said they would change providers if they had their records stolen, and 80 percent wanted to be reimbursed for the money spent to mitigate the damage,” she writes.
What can organizations implementing EHR do to make sure the records are protected?
- If you’re using an EHR provider, make sure it’s protected, too. Cloud EHR vendor Medical Informatics Engineering said earlier this year that it had been breached in what’s believed to be the first such incident with a cloud provider.
- As medical devices get more intelligent, security needs to be built into them from the outset rather than tacked on later. And needless to say, make sure to change default passwords.
- Encrypt your EHR, both in transit and at rest, as well as when it’s actually in use—particularly since many EHR thefts come from the loss of equipment such as laptops.
- Get cyber insurance—but don’t think that means you can punt on security. Insurers have refused to cover incidents caused by provider negligence, notes Lisa Vaas in Naked Security.
- Security breaches aren’t a matter of if, but when, so be sure to monitor your systems for them.
The value that EHR provides is too important to give up. Give it the protection that it’s worth.
Simplicity 2.0 is where we examine the intricate and transitory world of technology—through a Laserfiche lens. By keeping an eye on larger trends, we aim to make software that’s relevant to modern day workers, rather than build technology for technology’s sake.
Subscribe to Simplicity 2.0 and follow us on Twitter. If what we’re saying piques your interest, head over to Laserfiche.com where you’ll see how we apply the lessons learned on Simplicity 2.0 to our own processes, products and industry.