Hacking Health Care: Your Guide to Privacy
Sep. 3, 2015
Every week seems to bring a new and bigger data breach attributed to hackers. The targets are many and varied: Department stores, major websites and even U.S. government agencies have seen sensitive, private information exposed in recent months.
For its massive potential for profitability, the health care sector ranks near the top of many hackers’ lists. In 2003, the use of most health information became subject to strict regulation with the passage of the Health Insurance Portability and Accountability Act Privacy Rule. And in 2009, Congress passed additional legislation that pumped billions of dollars into promoting health information technology, including the adoption of electronic health records.
As the use of information technology has spread, the health care landscape has become more complex — and more subject to unauthorized disclosure, as a report in Marketing Health Services notes.
A SYSTEM EASILY BREACHED
A number of factors make health care providers ideal targets. The recent transition to digital records — along with a growing number of Internet-connected medical devices and security standards that lag behind other industries — has created a new cyber playground for criminals.
Upping the ante is a black market that provides much higher paydays for medical records than for other types of personal data. A 2014 study found that data breaches could cost the health care industry some $5.6 billion a year.
POTENTIAL DAMAGE TO CONSUMERS
The biggest danger of data breaches for the average consumer is health care identity theft. When data related to an individual’s health care is compromised, it can take months or years for the breach to come to light.
According to Government Health IT, health care fraud cost U.S. consumers as much as $234 billion annually as of 2012. The figure is unsurprising, considering that a pilfered medical identity has a $50 value on the black market, whereas a Social Security number is worth just $1.
HOW DO MEDICAL DATA BREACHES HAPPEN?
Health care organizations constantly work to update IT systems and to improve security. But many breaches happen for an old-fashioned reason: human error. Three-quarters of health care organizations cite employee carelessness as the biggest threat to data security.
With the stakes so high, simple mistakes can have dire consequences. In 2014, the theft of two laptops from AHMC Healthcare Inc.’s administrative offices resulted in the breach of confidential medical data — including Social Security numbers — belonging to 729,000 patients.
WHAT STEPS ARE HEALTH CARE PROVIDERS TAKING?
The U.S. Office of the National Coordinator for Health Information Technology notes that health care providers are required to protect health information with passwords and other technical security enhancements like encryption. And HIPAA requires that health care providers secure certain protected health information by:
- Limiting who can access the information
- Limiting disclosure of the information
- Ensuring that vendors follow the rules
- Implementing technical, physical and administrative protections
In practice, security safeguards include passwords and PINs that limit access to authorized people, such as doctors and nurses. Information also may be encrypted, requiring a software “key” at both ends of a transmission. Individual workstations are locked down from prying eyes, and audit trails track who accessed or changed information.
SYSTEMS ARE ONLY AS SECURE AS THEIR USERS
Health care IT teams will continue to race against hackers and other criminals to keep data safe through digital means. But in the end, the security of everyone’s health care information rests with individuals.
You can be a part of the solution at Concorde Career College. Our Health Information Management program educates health care professionals on new and better ways to protect patients’ valuable information.