On the surface, it may appear that cyber criminals have it out for retailers with the number of massive retailer breaches that have occurred, but taking a closer look, another industry has a target on its back.
The healthcare industry experienced more data breaches than ever before in 2013 and accounted for 43 percent of all breaches for the calendar year, according to the Identity Theft Resource Center’s 2013 breach report. These breaches impacted 1.84 million Americans; the average victim held liable for more than $18,600 in medical services, according to the Ponemon Institute’s 2013 Survey on Medical Identity Theft.
But why the interest in medical records?
A medical record is more valuable than a credit card on the black market. According to the World Privacy Forum, a medical record, including a name, address, Social Security number and health ID number, typically goes for $50 on the online black market. An active credit card sells for just $3. In order to get the biggest bang for their buck, cyber criminals are finding that gathering batches of medical data and selling them on the black market can be much more lucrative than stealing credit card numbers by breaching a retailer.
This puts the healthcare industry in a sensitive position, especially as patient data goes digital. At the beginning of 2014, there was a federal mandate issued that required healthcare facilities to show meaningful use of electronic medical records in order to keep their Medicaid and Medicare reimbursement levels. While most healthcare facilities are getting on board with digitizing medical data, CSID found that one in four healthcare facilities have not implemented electronic health records.
Digitizing health records is not a new practice, but it does have significant consequences today if those records are not properly secured.
For example, Community Health Systems, a healthcare group with 206 hospitals in 29 states, suffered a cyber-attack in August that affected the private data of 4.5 million patients. This was the largest U.S. healthcare breach since the Department of Health and Human Services began tracking breaches in 2009. Forbes estimates that Community Health Systems will pay between $75 million and $150 million to remedy the breach.
To get a better understanding of what privacy professionals can do to best protect patient data, CSID recently partnered with the Medical Identity Fraud Alliance (MIFA) and computer forensics author and professor of criminal justice Marie-Helen Maras to collaborate on the best way to approach healthcare privacy practices:
Take an Enterprise-Wide Approach
MIFA SVP and Program Director Ann Patterson said healthcare facilities should approach healthcare privacy with an enterprise-wide methodology. Every department—human resources, security, medical technicians—should be trained and have an understanding of how to best protect patient data and why. Limiting that knowledge and understanding to the IT department only hurts the entire system, since every employee can be an entry point for a cyber criminal trying to access patient records. Educate employees on how medical identity theft happens; what are the warning signs, and what do they need to do from a best-practices and a Health Insurance Portability and Accountability Act (HIPAA) standpoint to keep patient data safe?
Implement Role-Based Security Access to Patient Records
Restricting access to authorized users only ensures HIPAA compliance and reduces the risk of litigation if patient data is lost.
Include Privacy Protection in the Budget
While there is no industry benchmark on what percentage of their budgets healthcare organizations should devote to protecting their systems, experts from MIFA say it should be more than 10 percent.
The Jury’s Still Out About BYOD
In a perfect world, bring-your-own-device (BYOD) would be a convenient, secure option for employees at healthcare facilities. As our imperfect world stands today, BYOD policies are tricky and difficult to enforce. But eliminating BYOD altogether is unrealistic as employees’ personal and professional devices are connected, policy or no policy. Currently, the best way to address BYOD is to create a policy that puts strict limits on how patient data can be viewed and transmitted on devices. Here’s a look at how to create a BYOD policy for Millennials, Baby Boomers and everyone in-between.
Develop a Crisis-Response Plan in Case of a Breach
Keep your breach response plan up-to-date and train staff on policies and procedures on a regular basis.
If you want to comment on this post, you need to login.