We don't usually send our kids to the doctor's office for growing pains, but the U.S. healthcare industry definitely needs some help with theirs. As we look ahead to the third year of the ACA, we can only hope that the prognosis for 2016 is better than the last couple of years. The scale and intensity of healthcare related cybercrime is a critical and growing threat to the U.S. medical system. According to U.S. Department of Health and Human Services, the top 15 data breaches so far in 2015 (January to October) have affected well over 110 million people. In other words, the personal information of nearly half the US adult population has been compromised in some manner by a data breach of their healthcare insurance provider. If data breaches were a virus, we'd call this a pandemic.
In the past year, organizations such as Anthem, Premera, Excellus, UCLA Health, and CareFirst have announced major data breaches, bringing the five year total of compromised patient records to more than 143 million. To put it simply: cybercrime is the new healthcare crisis. Any overarching factor that makes healthcare more expensive for insurers, providers, and patients puts further pressure on an already strained system. The Ponemon Institute, a well-regarded security industry research firm, estimates cyber attacks against hospitals, clinics and doctors cost the U.S. healthcare industry more than $6 billion a year.
On an individual level, when a patient's insurance information is used fraudulently, the stranger's treatment history can be mixed into the original patient's EHR, creating the potential for misdiagnosis and treatment errors. Unraveling these fraudulently tainted EHRs and related patient insurance liabilities is notoriously complicated and time-consuming. Ponemon Institute research finds that victims of medical identity theft spend an average of $13,500 to restore their healthcare records, remedy their credit and reverse fraudulent claims. Unfortunately, fewer than one-third of healthcare providers offer any form of assistance to patients whose data has been compromised.
The reported data breach figures likely understate the severity of the problem, as some organizations may not yet be aware they have been breached and others may not have reported the incident. According to the HIMSS, 2015 Cybersecurity Survey, 64 percent of healthcare organizations have experienced an external cyber-attack during the last twelve months. The Identity Theft Resource Center, which tracks data breaches across industries, reports that more data breaches happen in the medical and healthcare industry now than in any other sector, accounting for 46 percent of the reported breaches in 2014. These attacks create administrative and public relations crises for many healthcare providers and distract from their core mission of providing quality patient care.
The healthcare sector represents a juicy target for cyber criminals because patient information–such as social security number, insurance ID number, credit card number, address, and medical history– is a tremendously valuable asset that can be easily used to commit fraud, financial theft, and identity compromise. In addition, medical data has more lasting value than other types of information. A stolen credit card can be cancelled and fraudulent charges disputed, but resolving medical identity theft is not as straightforward. On the black market, medical records sell for 10 to 20 times higher than credit card records.
Because the healthcare insurance industry is known to be behind the technology and cyber security curve, cyber criminals know they will not encounter much resistance gaining access to their networks, and that they will be able to lurk undetected for longer periods of time. As EMV credit card technology is more widely adopted across retail industries, cybercriminals are moving on to lower-hanging fruit, including healthcare insurers.
New IT initiatives that are promoted by the healthcare industry a way to enhance the quality of care, also add information security risk. A growing number of nurses and doctors are using Wi-Fi-enabled communication devices and tablet computers instead of clipboards and sheets of paper. Similarly, internet-connected devices have been introduced to patient bedsides in various forms– fetal monitors, electrocardiograms, temperature monitors, or blood glucose monitors– and are increasingly used in remote care. These devices– in addition to many more emerging Internet of Things (IoT) technologies– face the same security risks as networked computers, but often have not been designed to the same information security standards.
Combatting the scale, scope, and sophistication of cybercrime is outside the expertise of most healthcare organizations. Their primary purpose, after all, is to provide patient care. Staying on the cutting edge of global cyber security defense technologies and figuring out how to manage the brand new challenges of IoT will require tremendous effort and investment. The healthcare industry should start by taking a page from financial services: implementing more robust and automated fraud detection technologies to rapidly detect breaches, and planning for consumer friendly response and remediation once a breach occurs. Because organized cybercrime is targeting patient records, the security of that data should be considered most critical. This may seem obvious, yet Anthem's compromised database wasn't even encrypted.
Any healthcare organization collecting, storing, and transmitting patient data is vulnerable--from the smallest physician practices, clinics, and labs to the largest hospitals, HMOs, PPOS, and insurers. It is already proving difficult remain profitable in the new ACA system. As government regulation and public scrutiny heats up in the aftermath of this year's onslaught of breaches, failure to secure sensitive information is going to be increasingly damaging to profits and reputations, not to mention the healthcare system as a whole.