4 Reasons Why Healthcare Data Breaches Will Continue to Rise
Digital health companies are rapidly becoming the new frontline for data security in the healthcare industry. This year alone we have seen almost 100 million health care records breached through the combined cyber security attacks on Anthem (80 million), Premera (11 million) and CareFirst (1.1 million). We are just over half way through 2015 and it is already setting a new record for the number of health records breached. But this should not surprise anyone. Analysts had predicted that 2015 could be the year of the healthcare breach. This may only be the beginning and here are 4 reasons why:
- The Rise of the Digital Health Economy
- The Digitization of Healthcare
- Linens & Things – the New Business Associate
- The Value of Health Data
Reason No. 1: The Rise of the Digital Health Economy
The way healthcare is being delivered is changing. We can now choose our doctor and book appointments online, register ourselves and complete our HIPAA disclosures via a mobile tablet, and receive discharge instructions and care via a mobile app. All while being tracked by a wearable device, talking to the cloud. These new services and applications are being provided by a growing number of innovative new players entering the market.
According to Start Up Health, in 2014, $6.5 billion was invested in Digital Health and there are more than 7,000 Digital Health companies competing to provide the healthcare industry with innovative mobile and cloud-based solutions.
These digital health vendors are providing the services and applications we, as patients, want to use. However, most are small tech companies with 10, 50 or at most a couple of hundred employees. If a major health system or health plan, with thousands of IT professionals and a multi-million dollar IT budget, can face a breach, what chance do these smaller companies have? Many have already achieved notable success, and are deployed by leading hospital systems. So what happens when one of them, with access to the patient data for the top 10 health systems, gets hacked? It could make the Anthem breach look small.
Reason No. 2: The Digitization of Healthcare
Over the past 10 years the government has been providing incentives to hospitals, clinics and others providers to implement Electronic Health Records. While many of the largest medical institutions already maintained electronic records, “ Meaningful Use” , introduced as part of the Affordable Care Act, has driven them to implement more efficient ways to share this information. Medium sized and smaller providers are following their lead and making this conversion. The number of U.S. physicians now using electronic medical records has grown to more than 90%, compared to less than 10% only a decade ago. Even in the age of the Internet, this is an exceptional transformation. While the data has gone digital, most of those physician practices do not have the technical skills to manage it. For many, it was not so long ago that securing patient data meant locking a filing cabinet at the end of the day. Now their entire patient list is online. Without the right protection in place, it is easy game for any reasonably smart hacker.
Reason No. 3: Linens & Things – the New Business Associate
It doesn’t stop with Digital Health companies. Remember that Electronic Health Record system that the providers made so much investment in? Now they have all their patient data in electronic format, it is less efficient to deliver this information manually to their linen services provider, their transport services company or their janitorial services vendor. They want those vendors to plug in and receive information electronically. The linen services company needs to know what conditions are being treated in a particular room or facility; the transport services company needs medication instructions for a particular patient; or the janitorial services vendor may need to know what medical waste to dispose of. This means they have online access to sensitive health information. And as a result, these companies are likely to be subject to regulations such as HIPAA and not even know it. Are they even thinking about how to properly secure the data? Most of them have never had to worry about protecting private health data.
Reason No. 4: The value of health data
We all instinctively protect our financial data and happily subject ourselves to security questions, withdrawal limits, pin codes and fraud protecting alerts. We know what we need to do in order to prevent others from getting their hands on our hard earned cash. But how many of us read, let alone question, that HIPAA disclaimer we sign when handing over our most sensitive health information to our doctor’s office? It is estimated that health records are 10 to 50 times more valuable than our financial data. As financial institutions have implemented multiple controls to limit exposure if your financial identity is compromised, criminals see healthcare as a soft target. Last year, in a breach at Children’s National Medical Center, up to 18,000 records were believed to have been compromised. A recent lawsuit filed by one of the victims stated that in addition to personal health data, information including social security numbers, addresses, birth dates and telephone numbers was stolen. This makes it a significantly richer data set than financial data alone.
The digital healthcare revolution is exciting for both patients and the organizations that provide them service. New applications and tools mean better services for patients and more efficient operations for the healthcare providers. And as with all revolutions, there is a price to be paid. There is now a growing, valuable data set that is increasingly in the hands of smaller, less resourced companies. And this data is sought by an increasing motivated criminal set. These companies must be responsible and implement robust security and compliance programs. Will we look back at 2015 as the year of the data breach? Or will it be the start of a new paradigm in data security and compliance?