Is A Breach of Personal Medical Information the Next Cyber-security Calamity?

IRS060514iStock_000020237654Small (2)

Recent data breaches at major retailers and other retail chain stores, have made everyone aware of just how the loss of control over customer credit card data can impact a company and its valued customers. While the retail industry appears to be taking all the heat for cyber-security problems lately, there is plenty of opportunity for disruptive intrusions of personal data to go around for every industry sector. While the loss of personal credit card information poses significant pain and inconvenience to the retail consumer, a relative loss of patient, personal medical information in the healthcare sector could result in a calamity that would dwarf the impact experienced by the country’s biggest retailers.

In recent published studies, health care companies continue to unnecessarily expose their networks and patient data to online thieves. Health care fraud costs the United States $80 billion, according to the FBI. Currently, the U.S. spends more than $2.7 trillion on health care annually. The potential reward from such a huge economic sector is very tempting for criminals who are stealing patient records to commit medical identity theft and with the implementation of the Affordable Care Act (ACA) the situation is sure to get worse. According to a new report from privacy and information security research firm Ponemon Institute, it is estimated that these breaches will cost the industry about $5.6 billion a year. Once breached, personal credit card information can be relatively easy to replace and secure with new customer security information and new card numbers. But personal medical records, which can include social security numbers, personal health information and healthcare provider and health insurance data, represents more of genie out of the bottle scenario. Once it gets loose, putting things securely back into the bottle is a much more significant dilemma.

The problem of securing medical records seems to stem from employee negligence, unsecured mobile devices and third-party contractors who have access to the sensitive patient information of the health-care organizations they work with, including the medical center, an ambulance company, outside labs, doctors who don’t bill through the hospital, health insurance providers, and possibly a debt collector.

A large majority of information security officials identify employee negligence as the industry’s biggest cause of secure data leaks. With the growing use of personal devices like smartphones, laptops and tablets, there is an ever-increasing risk of exposing personal identifying medical information.  Approximately 88 percent of medical care facilities permit employees to use their own mobile devices to access patient information, increasing the concern that these personal devices are not secure.  Now that medical records are being digitized, it makes all that proprietary data more portable and more accessible to more people, including criminals within the organization and outside hackers. Despite the risk and the impact that data breaches have on patients’ vital, personal information, the truth remains that many healthcare providers are just not prepared or do not have the resources necessary to deal with the combination of threats that can lead to significant liability for the caregiving entity.

In response to recent lapses in medical data security, the U.S. Department of Health and Human Services (HHS) has begun to crack down on organizations that put their patient data at risk. Earlier this year, HHS fined two health care organizations — New York and Presbyterian Hospital and Columbia University — $4.8 million for “failing to secure thousands of patients’ electronic protected health information.”  Last year, the managed care giant, WellPoint agreed to pay the HHS $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

In the traditional environment where healthcare practitioners are often observed whispering private patient information in hushed tones, failing to silence the data scattering explosion of personal medical information across the world-wide electronic network seems to be an unfathomable outcome.