Consumers have likely accepted their personal financial information is at risk every time they swipe their credit card or check-out online, but they might not be aware that their health information is also in danger.
The Ponemon Institute, recently released its Fourth Annual Study on Patient Privacy & Data Security, and found the health-care industry is facing a 100% increase of criminal attacks on organizations since 2010. Insider negligence is the root of many of these breaches, according to the study. In 2013, 40% of health-care organizations reported attacks on their sensitive data, an increase from 20% in 2010.
The health insurance industry is facing massive challenges of its own to reign in criminal attacks on its organizations. And experts forecast the security risks will continue to increase as more of the Affordable Care Act unrolls and more records move into the digital world.
The Ponemon Institute’s study was released in part with data breach prevention company ID Experts, which provides software and services for managing disclosure and breaches of regulated data. The study took field-based research with senior-level personnel at health-care providers and 91 insurers nationwide.
Breaches can be costly to health-care companies and hospitals, with the cost ranging from $10,000 to more than $1 million per breach.
Larry Ponemon, chairman and founder of the Ponemon Institute, says much of the recent insecurity of data within the industry is a result of the Affordable Care Act, which mandates that all doctors and hospitals migrate to electronic medical records. And with questions still lingering about the security of Healthcare.gov, the federal exchange website, Ponemon says consumers face having their information compromised from both the insurer and health-care provider side.
“Sharing patient data might be a good thing, but it’s not necessarily secure,” he says of electronic medical records. “Also, there is a lot of uncertainty about whether the government will be a good steward of the information it collects.”
And while it may not be obvious, Ponemon claims medical information is even more lucrative to scammers than standard financial information. Rick Kam, president and co-founder of ID Experts, says medical identities include health insurance providers, names, Social Security numbers, date of birth and personal identifiers to gain access to medical services, prescription drugs and procedures.
“In some cases, it’s also to defraud Medicare or Medicaid, as well as private insurers,” Kam says.
Is Encryption the Solution?
With more attention on the type and scope of breaches within the health-care industry, Ponemon says organizations are beginning to take note.
“We see more investment in medical technologies and we are beginning to see some change. The Department of Health and Human Services and the Office of Civil Rights are stepping up their enforcement work with more assessments and audits of health-care information. The verdict is out on whether this has an effect on hospitals.”
The Health Insurance Portability and Accountability Act (HIPAA) requires businesses and IT organizations to protect “high-tech” data, Ponemon explains, but that doesn’t mean they are encrypting patient information properly. He says encryption is a key piece of the puzzle because it renders data useless once in the hands of hackers.
“It takes dollars to do this, and you can encrypt on a large device or stage system, but when moving [data] from one application to another, or to the cloud, it’s not encrypted,” he says. “In the field of cryptology, there are hardware security models that are difficult to deploy, but they are getting easier to implement and as a result, the cost is coming down. We will see more organizations deploying point-to-point encryption.”
Ted Julian, cyber security firm Co3 Systems’ chief marketing officer, says the lay of the land has become more complicated under the ACA with federal and state exchanges in the mix, and criminals have more surface area to snatch data.
“The bad guys have been getting more sophisticated over the past 10 years,” Julian says. “Insurance companies are not the only ones with [patient health] data; it’s a complicated eco system with people providing care, the government and more. The good guys have to protect a million avenues to avoid data getting stolen, and the bad guys just need one.”
And while encryption is important, humans can’t read encrypted text. So while it could protect patient information by rendering it useless to hackers, it’s also useless to insurers and providers.
“You can use the Target (TGT) breach as a perfect illustration of this point,” Julian says. “Credit cards are thoroughly encrypted at this point, but at some point they need to be clear, so they are unencrypted in the process. Hackers have figured out a convoluted way to grab this data at the precise moment. Useful data has to be unencrypted at some point.”