Electronic health records ripe for theft
Electronic health records ripe for theft
The issue has yet to capture attention on Capitol Hill.
By DAVID PITTMAN | 7/13/14 9:56 PM EDT
America’s medical records systems are flirting with
disaster, say the experts who monitor crime in cyberspace. A hack that exposes
the medical and financial records of hundreds of thousands of patients is
coming, they say — it’s only a matter of when.
As health data become increasingly digital and the use of
electronic health records booms, thieves see patient records in a vulnerable
health care system as attractive bait, according to experts interviewed by
POLITICO. On the black market, a full identity profile contained in a single
record can bring as much as $500.
The issue has yet to capture attention on Capitol Hill,
which has been slow to act on cybersecurity legislation.
“What I think it’s going to lead to, if it hasn’t
already, is an arms race between the criminal element and the people trying to
protect health data,” said Robert Wah, president of the American Medical
Association and chief medical officer at the health technology firm CSC. “I
think the health data stewards are probably a little behind in the race. The
criminal elements are incredibly sophisticated.”
The infamous Target breach occurred last year when
hackers stole login information through the retailer’s heating and air system.
Although experts aren’t sure what a major health care hack would look like,
previous data breaches have resulted in identity and financial theft, and
health care fraud.
Health care is the Johnny-come-lately to the digital
world, trailing banks and retailers with decades of experience in
cybersecurity. Most hospitals and doctors have gone from paper to electronic
health records in the space of a few years while gobbling up $24 billion in
federal incentive money paid out under the 2009 Health Information Technology
for Economic and Clinical Health Act.
“Frankly, health care organizations are struggling to
keep up with this,” said information security expert Ernie Hood, of the The
Advisory Board Co.
Significant breaches are already occurring. Over the
course of three days, hackers using a Chinese IP address infiltrated the St.
Joseph Health System in Bryan, Texas, and exposed the information of 405,000
individuals, gaining names, address, Social Security numbers, dates of birth
and other information.
It was the third-largest health data breach tracked by
the federal government.
The L.A. Gay & Lesbian Center reported late last year
that hackers attacked its computer systems over a course of two months trying
to steal credit card, Social Security and other financial information. About
59,000 clients and former clients were left vulnerable.
While a stolen credit card or Social Security number
fetches $1 or less on the black market, a person’s medical information can
yield hundreds of times more, according to the World Privacy Forum. Thieves
want to hack the data to gain access to health insurance, prescription drugs or
just a person’s financial information
The Identify Theft Resource Center — which has identified
353 breaches in 2014 across industries it tracks, says almost half occurred in
the health sector. Criminal attacks on health data have doubled since 2000,
according to the Ponemon Institute, an industry leader in data security.
Health care is the industry sector least prepared for a
cyberattack, according to security ratings firm BitSight Technologies. The
industry had the highest volume of threats and the slowest response time,
leading the FBI in April to issue a warning to health care providers.
The industry “is not as resilient to cyber intrusions
compared to the financial and retail sectors, therefore the possibility of
increased cyber intrusions is likely,” the FBI stated.
Why health care and why now?
The high value of health information makes it attractive
to hackers.
A credit card can be canceled within hours of its theft,
but information in a patient’s health record is impossible to undo. The record
contains financial records, personal information, medical history, family
contacts — enough information to build a full identity.
A patient’s credit card information alone may be easier
to hack from an unsuspecting hospital than from a company like Target, Michaels
or Neiman Marcus, experts say.
“Criminal elements will go where the money is,” said Wah,
who was the first deputy national coordinator in the Office of the National
Coordinator for Health IT. “They’re seeking health records not because they’re
curious about a celebrity’s blood type or medication lists or health problems.
They’re seeking health records because they can do huge financial, fraudulent
damage, more so than they can with a credit card number or Social Security
number.”
Other health security experts say hospitals’ response to
cybersecurity issues has been lackluster, with providers still focused on
privacy and confidentiality rather than data terrorists.
Security takes money and expertise to implement and isn’t
a glamorous job, since success is measured by something not happening. The
health system is still in the process of developing and vetting best practices.
The annual security assessment by the Health Information
Management Systems Society showed that about half of surveyed health systems
reported spending 3 percent or less of their IT budgets on security. Some 54
percent of the 283 IT security professionals surveyed had tested a data breach
response plan, and slightly more than half of hospitals had an IT leader in
charge of securing patient data.
Health facilities pay their security staffs less than any
other industry, said Stephen Boyer, co-founder of BitSight. “This may be the
case of you get what you pay for,” he said.
Comments
Post a Comment