Healthcare Data Breaches Swell in 2010
Last week, the Identity Theft Resource Center reported that data breaches in the healthcare industry have outpaced those experienced by financial services organizations by more than three times so far this year. While a portion of these breaches can be attributed to laptops and portable media that have been lost or stolen, many have also been the result of unauthorized access to healthcare databases.
When announcements like this are made, they leave many scratching their heads in confusion. Banks and other financial institutions have traditionally been thought to be the main target of cybercriminals. But as banks continue to strengthen their defenses, new industries such as healthcare are becoming favored targets by cybercriminals. But why? Are they really that interested in learning if I have acid reflux disease, or is something more sinister in play here? In fact, it's a combination of reasons - healthcare data is easy to steal, it's good quality data and it has a high street value.
Easy to StealFirst, the portability of healthcare data and the need for remote access have exposed healthcare organizations to greater risk of unauthorized access. Between providers working across multiple locations and referring physicians requiring access to patient records, the sharing of patient information is imperative to ensuring quality patient care.
Cybercrime is a very mature business. Cybercrime in the healthcare industry, however, is still in its infancy.
In addition, online portals for patients are beginning to spring up throughout the industry, creating yet another place where patient information can be accessed (by health care professionals and the patients themselves). In fact, pushing electronic health records is a cornerstone of the movement to modernize the United States' healthcare system. Yet, the security of how this information is accessed is a primary concern, as there is a wealth of sensitive data available in these records that must be protected.
Quality DataSecond, the volume and quality of data stored in EHRs is attractive to cybercriminals and can be used to facilitate fraud and identity theft. For example, this information is used to commit new account fraud - opening up new financial or service accounts in another person's name (i.e., credit cards, loans, cell phone or utility service). In fact, a study conducted by Javelin Strategy & Research earlier this year showed that criminals were able to exploit information from medical records to commit fraud for four times longer, as compared to other types of identity theft. This doesn't even take into account the many other scams, such as medical identity theft, that can be perpetrated with stolen healthcare information.
Increased LiquidityThird, data stored in EHRs enhances the value of other data for sale by cybercriminals. Research at RSA's Anti-Fraud Command Center shows that a single credit card sells for around $1.50 in the black market. But when that data is sold with a full set of personally identifiable information that can be obtained from places like EHRs, the price jumps to about $15.
While the emergence of EHRs and healthcare portals for patients and providers has made it easier to access and share medical information, it has also made it easier for cybercriminals to gain access to healthcare data and other personal information.
The challenges facing healthcare organizations are many, both in terms of the range of security risks posed by cybercrime and introducing and educating on the threat across an industry that has not traditionally had to address such imperatives. Security risks and issues that need to be addressed within the healthcare industry as they push out more information online include:
- Secure enrollment to ensure that first-time users to a portal are who they say they are before granting access to various applications;
- Secure access to online portals to prevent the loss of patient's personal and healthcare information;
- Secure access for physicians to clinical applications that contain patient data;
- Secure access for payees and other third parties to sensitive data required to perform their jobs;
- Authenticating users who rarely interact with their healthcare provider;
- Limiting access to those who need to see the data .
Cybercrime is a very mature business. Cybercrime in the healthcare industry, however, is still in its infancy - and only because the exchange of healthcare information online is in its infancy. Recent incidents, such as the fact that healthcare organizations have suffered the most data breaches this year, provides ample evidence to conclude that the increase in healthcare data sharing via EHRs, personal health records, insurance portals and other online sites will inspire a commensurate increase in cybercriminal activity targeted at healthcare organizations.
Just as most financial institutions have implemented security measures to protect access to customers' accounts and personal data, it is just a matter of time before healthcare organizations will be required to do the same. The advantage that financial institutions had was that their security strategies could grow to counter the cybercriminals' latest advances. Healthcare is entering a fight against an opponent that already has advanced tools and techniques - ones that have been field tested against financial opponents for years. For the healthcare industry, the time has come to start training for a real fight.
Seth Geftic is a Senior Manager in RSA's Identity Protection and Verification group. He is responsible for multiple initiatives and technologies, including RSA Adaptive Authentication, that protect organizations against fraud and other online threats. Prior to joining RSA, Mr. Geftic gained market analysis experience at America Online, Inc. (AOL) and at AC Nielsen BASES, a consumer packaged goods consulting firm. Mr. Geftic holds a B.S.B.A. in both Marketing and Finance from Washington University in St. Louis.