The latest purchasing trend? Your PHI
Professionals in health care are well aware–data breaches are hotter than ever. But what is driving thieves to steal vulnerable patient health information (PHI), and why is it in such high demand?
Data breaches are rampant across industries. Home Depot is facing the largest estimated credit card breach to date, and just last week cyber hackers accessed high-profile celebrities’ iPhone accounts, sharing intimate photos with the public via social media. A quick read through sites such as Data Breach Today and Forbes’ Data Breach Bulletin substantiate the enormity of this problem.
Data breaches are even more widespread in health care. A glimpse of industry news often provides headlines around the latest hacking –and necessary damage control –put in place by affected parties. Daily, patient information is hacked through vulnerable databases, lost or stolen unencrypted computers and devices, unprepared business associates, outdated technology, security shortcomings of the cloud, or as a result of the timely and difficult transition from paper medical records to EHRs.
According to CNN Money, the medical industry faces more breaches than the military and banking sectors combined. If that is true, PHI is in greater demand than our nation’s military intelligence or sensitive financial information.
Riddle me that.
Keep in mind records are often acquired en masse; ranging from hundreds to thousands to even millions, as seen in the recent Community Health Systems’ computer breach.
Modern Healthcare reported that nearly one in eight, or 318.8 million Americans, have had medical records exposed in breaches. If every stolen medical record was purchased for $50 on the black market, thieves may have paid upwards of 16 trillion dollars for this information.
To answer the burning question raised in this blog, criminals are stealing medical records and using pseudo identities for the following reasons: to fraudulently bill insurance or Medicare for costly medical treatments and to acquire prescription medications and sell them for high figures.
Despite the pervasiveness of this problem, preventative measures can be taken to avoid data breaches—and the inevitable costly fines from HHS.
As a first step, covered entities should be compliant with HIPAA rules. This includes staying up-to-date with requirements, updating contracts with business associates and performing routine security risk assessments to prepare for government audits.
Although HIPAA compliance is an admirable first line of defense, it does not ensure impermeable networks. According to OCR spokesperson Rachel Seegar, data encryption, an additional security measure not required government, is the “gold standard of data security because [it] makes data completely unreadable to anyone not authorized to access it." Although this measure is not one hundred percent effective, the risk of a data breach is much lower.
Linda Reed, Atlantic Health System’s chief information officer, emphasizes that in addition to diligent security measures, it comes down to dedicated and trained staff. Staff needs to know how to keep PHI secure and in an ideal world, should feel a personal obligation to protect this information.
In rare cases, health systems have been able to anticipate attacks before they occur. Last week Boston Children’s Hospital was informed of a planned attack and was able to prepare countermeasures, including shutting down email systems, hospital websites and e-prescribing systems, to prevent the release of vulnerable patient data.
By combining the preventative measures outlined above with a wholehearted commitment to protecting patient health data, providers can greatly reduce the number of breaches and help patients rest easily. Patients should never have to wonder—is my health information for sale?