If you think you are having a bad day, consider the healthcare providers and patients of the Australian Miami Family Medical Center, all of whom have been locked out of medical records. Thousands of patient medical histories, prescriptions, lab test results and health records have been breached, hijacked and encrypted, and are being held for ransom by Russian hackers.
This is not an isolated incident by any means - earlier this year, a small Illinois medical practice was similarly breached with health records stolen, encrypted, for held for ransom. Extortionists also struck Express Scripts a few years ago, threatening exposure of more than 700,000 records.
Not all health data breaches are the result of hackers. In fact, hackers may be the tip of the iceberg. The less dramatic day-today threat of unsecured mobile devices, lost laptops, and disgruntled or dishonest employees likely represents the lion's share of the breaches -- at least at present. And such problems are hardly unique to healthcare - the issue of employees bringing mobile devices into the workplace is a common one, dubbed "bring your own device" or BYOD for short. Security experts quip that it stands for "bring your own danger."
Medical ID Theft
While ransom may not be a particularly successful criminal strategy, the real paydirt might be in medical identity theft. With the high cost of medical care and a proliferation of opioid abuse, medical IDs are increasingly valuable. Thieves can hijack medical identities and health data to file insurance claims or secure medical treatment, prescription drugs and even surgery. On a broader scale, operatives can use medical data to submit false bills to insurers. To add insult to injury, illegal medical transactions may unknowingly be added to patient records, making for inaccuracies and potentially dangerous situations.
People are aware that they could be a victim of financial fraud - medical fraud, not so much. A study by Nationwide Insurance revealed that most people are unaware of the risk of medical ID theft. While people are in the habit of checking financial accounts somewhat regularly, that is often not the case with medical records.
Expect growing risk for health data
Experts say that we can expect to see more healthcare breaches ahead - particularly as more records are digitized. A recently released study on patient data security by Poneman/ID Expert reports:
Ninety-four percent of healthcare organizations surveyed suffered at least one data breach; 45 percent of organizations experienced more than five data breaches during the past two years. Data breaches are an ongoing operational risk that could be costing the U.S. healthcare industry an average of $7 billion annually. A new finding indicates that 69 percent of organizations surveyed do not secure medical devices--such as mammogram imaging and insulin pumps--which hold patients' protected health information
The report paints a picture of an industry that is woefully unprepared to deal with the burgeoning threat. Most organizations surveyed said that they have insufficient resources to prevent and detect data breaches.
In health data breaches involving more than 500 people, HIPAA privacy regulations specify that, in addition to individual notifications, the incident must be reported and made public (See Breach Notification Rule). The US Department of Health & Human Services maintains a database of health data breaches affecting 500+ people - you can check to see if any of your providers are on the list. The Federal Trade Commission offers consumer advice on preventing or recovering from medical identity theft.
Besides individual consumers, employers, insurers and TPAs should be alert for health data fraud and should report any questionable activity. As entities with greater buying power than the average consumer, wholesale buyers can also help manage the risk by requiring adherence to security and privacy standards and having crisis plans in place as part of the RFP or buying process.
Rick Kam, president and co-founder of ID Experts, offers these security tips to healthcare organizations:
- Operationalize pre-breach and post-breach processes, including incident assessment and incident response processes
- Restructure the information security function to report directly to the board to symbolize commitment to data privacy and security
- Conduct combined privacy and security compliance assessments annually
- Update policies and procedures to include mobile devices and cloud
- Ensure the Incident Response Plan (IRP) covers business associates, partners, cyber insurance