Q&A: Health orgs don't protect patient data for reasons going 'back to the industrial revolution'

By Tom Sullivan
12:41 PM

Three out of five healthcare organizations are not allocating enough resources to protect patient data – and among the reasons is a simple fact that the industry has no way to place a value on that information.

That’s according to Rick Kam, president and co-founder of ID Experts, which sponsored the Ponemon Institute’s third annual benchmark "Study on Patient Privacy and Data Security," published on Dec.6. 

Prior to the report’s release, Government Health IT Editor Tom Sullivan spoke with Kam and Ponemon Institute Chairman Larry Ponemon about the survey's alarming statistics, the potential dangers of criminal social-engineering and why healthcare as an industry is so far behind in terms of safeguarding data.

Those reasons, it turns out, go back even further than most health IT professionals might imagine.

Q: The staggering figure in this report is that 94 percent of healthcare providers have had at least one breach in the last two years — given how difficult it can be to tell whether breaches result in medical identities actually falling into the wrong hands, do you have a sense for what percentage of breaches actually expose personal health information (PHI) to criminals?

Ponemon: If you look at our data, we try to understand as best we can the root cause of the data breach. The majority of the events involved a negligent insider, an employee for instance, so ultimately the probability of a lost laptop ending up in the hands of a cyber-criminal is remote. It could happen but it’s not a high-probability event.

We also have root causes that are connected to malicious or criminal activity, and we believe those are the types of activities that would result in actual data and medical identity theft. In terms of the percentage, we report about a third of all cases fall into the category of criminal but even in those cases it’s not exactly clear whether that information will result in a medical identity theft. We can make the case that there’s probably some of these – why make an attack if there’s not value in the information? – but you can’t assume that everybody is a victim. That’s true of data breaches across the board.   

Q: Earlier this week, ADP put the word out that it was breached by an employee who illegally accessed health data, then exposed it to a theft ring suspected of tax fraud. Is this something you expect to see more of? Will these crimes be smaller or bigger?

Kam (pictured at right): In many of the cases that we work on it's somebody who has trusted access to the system either gets human-engineered by a criminal to give them the data or access keys, or some variation on that theme. It’s very unfortunate. Just like in the financial services industry, the reason why it’s illegal for employees to publish their work email addresses on social networks is because they’re targeted by criminal social engineers because they want to find them and compromise them somehow.

Q: So why aren't health organizations allocating enough resources, IT, expertise to data security? I’ve heard more than one seasoned health IT veteran make the argument that the industry is two decades behind others when it comes to basic data encryption.

Kam: What we realized is — and this goes back to the industrial revolution — we don’t have a methodology for valuing data in general: as in, data as an asset. We have to put in place a way to value protected health information so that the CEO and the executive team making decisions on resource allocations can look at the privacy officer or whoever’s doing the suggestions on initiatives and basically be able to have them answer the questions: "How much is this data worth to our organization? Is this worth a dollar or is it worth $5 billion dollars? And what’s the appropriate level to make in privacy initiatives to protect it? Given that, what’s the return on investment compared to other things we’re looking at like meaningful use or a new radiology center or a new web site?"

[See also: Healthcare IT News' Erin McCann breaks down the report's findings about breaches]

Q: What is the market for stolen medical information like these days – specifically, last year medical records boasted a street value 50 times that of other types. Is that more, less or pretty similar today?

Ponemon: All of the evidence suggests that a healthcare record is in fact much, much more valuable than a financial record. It can be used for financial ID theft crimes, or a medical ID theft or both. It provides a dossier of personal information so bad guys can do more and better stuff like create passports, and visas, and because they have physical characteristics as well as information, it’s a big deal. And I see in a number of our studies that it is substantially more valuable than other type of records.

Kam: The other thing is that in some cases we’ve seen the records being held hostage so you can imagine the medical record of Hillary Clinton or President Obama, or Mitt Romney before the election, those records have incredible value. Medical records can have major PR value because of who they’re attached to. 

If you think about credit cards today. If someone stole my credit card they wouldn’t be able to spend any more money than I can because my wife is monitoring those cards in my kitchen so they’d get away with nothing. But if you steal my health insurance, Obamacare basically removes the lifetime limit of $2.5 million so if you get my health insurance number and my medical profile, well, you could spend a fortune. Literally millions before anyone would catch you.

Q: My story from last year’s report was that the industry was in such a state that what you, Rick, likened to a health data spill worse than what BP did in the gulf was certainly possible. We didn’t see that, thankfully, but what’s the big-picture takeaway from this year’s report?

Kam: If every healthcare organization actually put a value on their data, they would have the justification and business case to do a better job at assessing the risk and more specifically putting the appropriate level of investment in play to protect the data. 

I discovered this at one of Larry’s meetings with the Commissioner of Australia’s data privacy. Over lunch we were having some potato chips and tuna sandwiches that Larry gave us and what he told me, because he’s an accountant, basically, is that one of the reasons people don’t value data is because the systems that we use to value assets were designed in the industrial revolution so they value buildings, oil wells, hard assets like that.

No one has devised a methodology to value data. Take Google: Basically, they just have data and processes to turn that into a corporate value. But what method did they use? You have to make it up. The market hasn’t derived it.

Data needs an accounting methodology.