Hackers Declare War on Health Care and Industry Fights Back
"It's a war we're in." That's how John Halamka, the chief information officer of Boston-based Beth Israel Deaconess Medical Center, described the current state of affairs between the health care industry and the hackers and identity thieves who are trying to steal patient records.
A recent Boston Globe article detailed the threat and provided some interesting - and sobering - statistics and information:
- There is high demand for health records, and a single health record may be worth $50 according to the FBI
- Criminal intrusions into health care systems have risen 100 percent in the past four years
- Of 614 total identity theft breaches in 2013, 269 (43.8 percent) were in health care (the most of any industry)
- Despite being the subject of the most attacks, a recent study by BitSight Technologies found that health care providers are the slowest in any industry to respond to data breaches.
Hackers are motivated to target health records in order to facilitate identity theft, financial fraud and illegal drug use. The Boston Globe article, in particular, highlighted two recent incidents involving cyber-security breaches: (1) Chinese hackers seized the personal information of 4.5 million patients at a Tennessee-based hospital network, and (2) federal officials disclosed on September 4 that a hacker managed to install malicious software on HealthCare.gov.
Several reasons are proposed in regard to why the health care industry is vulnerable to these attacks:
- The recent transition to digital records, spurred by federal mandates;
- The lack of a federal law that mandates specific security procedures that must be followed;
- Low IT budgets (2 to 3 percent of budget in health care versus 20 percent in retail and financial); and
- Increasing sophistication of data thieves.
These events are driving change in the industry, forcing hospitals and health care providers to expend more human and financial resources to combat these risks. The federal government is adding extra incentive too, as the US Department of Health and Human Services (HHS) is taking a more aggressive approach on penalties for medical facilities that fail to protect patient data. According to the article, in May HHS fined New York Presbyterian Hospital and Columbia University Medical Center $4.8 million for the disclosure of nearly 7,000 medical records due to lax technical safeguards.
While some efforts have been made in the health care industry, there is also a growing consensus that the Affordable Care Act, which will result in more patient information being placed online, may lead to greater IT and cyber-security risks. This is consistent with the findings of a study done by the Ponemon Institute, which we wrote about on this blog in March.
As data security is increasingly becoming an issue hospitals face, make sure you have the correct policies in place and are effectively securing patient information. We encourage you to contact Nicole Stratton at firstname.lastname@example.org or Nick Oertel at email@example.com with any questions or concerns.
- HITECH Act
- Digital Assets
- Employee Benefits
- Electronic Health Records
- Affordable Care Act
- Accountable Care Organizations
- 6th Circuit Court of Appeals
- Health Insurance Exchange
- Department of Labor
- Fraud & Abuse
- Labor Relations
- News & Events
- Health Care Reform
- Did you Know?