Patient records contain personally identifiable information (PII) and protected health information (PHI), both of which have value on the black market. Over the years, there have been instances of insiders stealing this information for their own financial benefit, but outside criminal attacks are on the rise at a time when there is great pressure to reduce healthcare costs.
Industry analysis and private firms have issued predictions over the last few years, but the recent warning issued by the FBI seems to add a bit of urgency — that hackers are actively trying to get to personal medical records and health insurance data. According to Rick Kam, president and co-founder of ID Experts and chair of PHI Protection Network, "it is time healthcare organizations step up to PHI security and privacy risk more proactively."
"The retail sector has seen increased cyberattacks over the past several months with Target, P.F. Chang's, Neiman Marcus, Home Depot, and Albertsons experiencing large data breaches," Kam said. "It seems the bad actors are maximizing known weaknesses in organizations' cybersecurity, elevating the risk of financial and medical identity theft and fraud losses."
While there has been progress toward complying with federal privacy and security guidelines and better safeguarding patient information, the risks are shifting and will continue to do so as criminals attempt to stay one step ahead.
Healthcare leaders must learn from other industries — particularly financial and retail — who have built resiliency and can generally identify breaches and respond more quickly. It will require investment in continually strengthening security practices and safeguards and heightened awareness of the risks.
The latest surveillance techniques have resulted in limits to the value of credit card numbers.
A few years ago, credit card companies acted upon notice by the cardholder of a lost or stolen card or unknown purchases that presented on their monthly bill. Today, using analytics and personalization they can identify patterns of use that don't fit with a customer's historical behaviors and habits and immediately dispatch a call or text to confirm recent purchases.
Credit card companies can also put a hold on cards until recent suspicious activity is confirmed with the cardholder. In addition, cardholders can monitor their accounts with real-time access to their purchase history.
However, targeting health records opens up access to even more possibilities.
In addition to credit card information, the thief can identify details needed to access bank accounts, obtain prescriptions for controlled substances or file fraudulent medical claims. And because the health industry's security systems and safeguards lag behind, it also takes longer to identify the breaches and take action, making the value of that information much greater than credit card numbers.
While healthcare organizations have made progress with information security, it hasn't kept pace with the constantly shifting threats. There isn't much real-time surveillance and the technologies and safeguards aren't mature enough to protect against the hackers.
Consider how long it takes to receive statements from healthcare providers or an explanation of benefits from an insurance company, and if some patients would even be able to recognize that they hadn't been the receiver of the services which were billed.
Now is a good time for healthcare leaders to update the risk analysis of their information systems — before a breach occurs. This will help practices avoid recovery expenses, lawsuits, penalties and fines, as well as a loss of patient and community confidence.
