A few weeks ago, we released a whitepaper THE NEW HEALTHCARE CRISIS: CYBERCRIME, PATIENT RECORDS AND INFORMATION SECURITY, noting that more than 40% of Americans have had their healthcare records breached in 2015. Our analysis was based on breaches filed with the Department of Health and Human Services.
Well, we were wrong. Now almost 50% – 47% to be exact – of Americans’ patient records have been breached.
Last week, Excellus Blue Cross Blue Shield, an upstate New York healthcare company, announced that 10 million of its customers had records compromised from a cyber attack. Perhaps more troubling than the sheer volume of the attack is its longevity. Excellus’ internal system audit revealed breaches had been going on undetected since 2013.
In addition to the bad press, Excellus will bear the cost of providing 2 years of identity theft protection services to each of those 10 million clients.
And it joins the ever-growing list of breached healthcare companies: UCLA Healthsystems, Anthem, and Premera — to name a few.
Criminals are targeting the healthcare sector because patient records are a tremendously valuable source of data. In fact, medical information has more lasting value than other types of information. A stolen credit card can be cancelled and fraudulent charges disputed, but resolving medical identity theft has no standardized remediation procedures. Patient data, therefore, commands a higher price on the black markets.
Medical identity theft not only results in financial damage, but can impact health outcomes. If a stolen medical identity is used to receive care, the new data could alter or become integrated into the existing records and result in inaccurate diagnoses. Even after an error has been identified, medical privacy laws make it difficult to disentangle the fraudulent medical details from the legitimate information.
In our white paper, we highlight several factors responsible for the rise in healthcare breaches: (i) the threat environment is changing rapidly; (ii) point products create gaps in security posture; (iii) roaming users make the network porous; and (iv) healthcare providers face significant resource constraints. In addition, new healthcare IT initiatives promising to enhance the quality of care can increase information security risks – such as networked patient record keeping devices, internet-connected fetal monitors, electrocardiograms, temperature sensors, and an emerging wave of Internet of Things medical technologies.
Here are a links to a few articles on the topic.