One night you find yourself watching the news and – surprise! – Another company has reported a data breach. The next day at Starbucks the cashier swipes your card, but the card doesn't work. Now you have to take a detour to the bank. At the bank you find out that your card has been deactivated because the card number had been compromised in the data breach you just heard about the night prior. They apologize for the inconvenience and say that you'll get a new card in the mail within 7 business days. They give you a temporary card in the meantime.
This is the average scenario of what a consumer goes through when affected by a data breach. The worst part is the annoying stares you get at places like Starbucks and the time wasted at the bank, so it's really just an inconvenience. First world problems, nothing more.
But there is an extreme version of this that goes beyond our replenishing credit cards. This scenario is where your entire personal and private information is sold on the online black market and your identity is effectively stolen from you. Even worse is that they know everything about you: where you live, when you got that scar on your head, that embarrassing surgery you got when you were 12, and your social security number.
Cyber Crime and Your Healthcare Data
Medical data is more valuable to cyber criminals than credit card numbers because medical records have far more information. There is enough information on medical records to gain access to any account a cybercriminal sees fit. Information that can be found in your medical records are date of birth, social security number, address, birthplace, and even some of your parents' information. This information can be used to access bank accounts, open new accounts, and even file insurance claims on your behalf. This information can be used to answer security questions to change passwords on your most important accounts.
But that isn’t even why your medical data is so lucrative to cyber criminals. The most important reason that cyber criminals would go after healthcare records instead of credit card numbers is that the healthcare industry is easier to hack. Criminals can spend less time attaining that information.
HIPAA and Healthcare Data Security
A recent report by BSIMM shows that the healthcare industry isn't protecting data as well as it should be. Unfortunately, it's not surprising. The healthcare industry is behind most other industries when it comes to data security. The Anthem breach earlier this year should have been a big indicator that our information isn't being safeguarded as much as we like to believe.
Healthcare IT departments have been slower than other industries to adapt, but the blame cannot be placed solely on IT. In many cases, the issues lie within weak IT budgets and general lack of awareness from healthcare staff. What’s worse is that due to the lack of security measures in place, it is hard to detect data breaches if and when they do happen. In addition, when the breaches are detected, that business has a 2 month window to notify anyone who is affected by the breach as regulated by HIPAA.
A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.
Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. –HIPAA, Breach Notification Rule
Another reason that healthcare IT teams may be slow to adapt is that they may be taking a “good enough” approach. If covered entities are protecting themselves in accordance to the HIPAA regulatory guidelines then IT has done its job. Simply, HIPAA does not go far enough to hold the healthcare industry liable when data breaches are detected. Healthcare organizations get away with not implementing the proper security measures, and the patients are the ones to lose.
Healthcare IT Policies To Minimize Risk
Since budgets fall too short and businesses have no incentive to go beyond the data security measures required by HIPAA, IT can at least protect itself in creative ways. It would not be unreasonable to consider that most of the users in the healthcare industry are not diligent about data security. All that it takes to compromise an IT infrastructure is a simple phishing attack or a hacked personal device connected to the same network as millions of health records. Educating employees on the most common forms of cyberattacks will go a long way in ensuring that a data breach does not happen.
Creating stricter policies around personal device usage on healthcare networks may also be a strong step in the right direction, however being more strict means more time policing the policies that have been put in place. Expecting employees to follow these rules, more likely than not, will become an employee trust system.
Of course there are several ways IT can be creative in keeping employees informed of the threats and asking them to be diligent, but at the end of the day healthcare IT departments need more cash to implement more secure infrastructure. And unless HIPAA is changed to push for these stronger security measures, healthcare companies are not going to give IT the budget they need to keep their data safe.