Healthcare businesses are ignoring the threat posed by cyber attackers, and are leaving themselves wide open to be victimized by data thieves seeking the personal information of patients. This is essentially the message gleaned from our review of a study released in May 2015 by the Ponemon Institute, a company that conducts independent industry studies on issues dealing with privacy and security.
The study, the FIfth Annual Benchmark Study on Privacy & Security of Healthcare Data, takes a global view of the risk facing those who are charged with protecting patient data. Ponemon estimates data breaches could be costing the healthcare industry in the US alone to be about $6 billion every year. The data collected also indicates for every identifiable record pirated by hackers via a data breach, it costs the victimized business about $398. This might not sound like much until you realize that it only takes a theft of 250 patient records to rack up recovery costs of $100,000.
To date, it is estimated 40 million healthcare records have been breached, according to a separate study by Gartner, a technology research company. Gartner’s study also says that 40 million number is conservative at best because they only counted security breaches where data of at least 500 individuals were compromised. For example, the recent data breaches that affected Carefirst Blue Cross and Blue Shield, Anthem, and Premera, which all occurred within the past year, are the kind of breaches counted.
What Gartner isn’t counting are the breaches that must also be happening to small practice medical offices who are even more likely than big hospitals to be lacking adequate security measures to prevent data theft. In many cases, data could be compromised and taken, without it ever even being noticed — that is at least until federal investigators come knocking on your door to comb through your server because one, or more, of your patients’ data was sold on the black market and used by criminals to defraud the government.
The hacking of medical records is getting more common every year. The Ponemon report claims criminal attacks on healthcare organizations are up 125 percent compared to 5 years ago, and it isn’t likely to slow down anytime soon.
So why did that same Ponemon study reveal 60% of the healthcare organizations interviewed expressed little to no concern over data theft? Administrators are either thinking, A) It won’t happen to me, or B) We’ve got this security thing covered.
If Ponemon’s numbers are accurate, and about 47 percent of healthcare organizations don’t have personnel with the technical skill to even identify a security breach, much less resolve one, then administrators must be thinking option A. “It won’t happen to us.”
The problem with that is nearly every victim of a crime was probably not actively thinking something bad was about to happen to them, yet it did, and they were left to deal with the consequences. It happens, and in the case of medical record theft, it happens at a rate of about once every two seconds worldwide. So the odds it won’t ever happen to you grow slimmer each year, especially if you aren’t taking the right steps to at least try to prevent it.
One article I recently read compared having the appropriate measures in place to prevent data theft to that of having a fire alarm in your home/office. The fire alarm might not protect you against fire, per se, but it can alert you when something happens, and you can take steps to minimize the damage, and in essence, get out in front of it. In the case of data theft, immediate notification of a security breach means being able to report it to the appropriate authorities and potentially stopping the data from being sold on the black market and used by criminals.
If a hacker wants to get to your data badly enough, there really isn’t one single way to prevent them from doing it. Nothing is 100% hacker proof. What can be done though, is to make accessing your data so difficult it isn’t worth putting in the time it would take to crack through it. This is especially true of small practices whose on-hand patient data pales in comparison to that of a large hospital or giant health insurance company. Hackers are more likely to go through the trouble of cracking through security with a big payoff at the end, than to go through the exact same level of security for a fraction of the booty. If your security isn’t up to snuff, however, you are just a sitting duck waiting to be harvested and cooked, and not only will you ultimately end up paying the price, so will your patients.