The healthcare industry is facing a data security and privacy epidemic. In the U.S. alone, healthcare data breaches are occurring at a rate of more than one a day, while breach-related costs average $408 per record – more than any other sector. And, it’s only going to get worse before it gets better, as cybercriminals are becoming smarter and more devious in order to get their hands on medical records that sell for as much as $1,000 apiece on the Dark Web.
While a single breach can cost a healthcare organization millions of dollars and forever jeopardize their brand’s reputation, its impact on patients (us consumers) is perhaps the most alarming. Unlike credit card fraud where the victim can simply change their card number and often receive reimbursement through their bank, fraud involving protected health information (PHI) comes with much more damaging consequences.
Because a medical record contains a wealth of sensitive information – Social Security numbers, addresses, birthdates, family members’ contact information, payment information and insurance policy data – as well as historical medical information (prescriptions, test results, treatment plans) that cannot be changed – the stakes are higher for identity theft. Just imagine if a cybercriminal were to pose as the patient to get their hands on a life-saving prescription or tamper with existing records. Further, hackers can leverage the personal information they uncover to intimidate, harass or blackmail individuals. In fact, the FBI issued a warning about this very issue just last year.
Complicating the situation for healthcare organizations is that cybercriminals, hackers and fraudsters outside the company aren’t the only ones targeting PHI. Fifty-eight percent of all healthcare data breaches and security incidents are cause by people inside the organization. Therefore, anyone in the healthcare chain with access to patient data poses a threat. This could involve a third party with unrestricted access to a hospital’s server room, like an IT contractor, capturing data through a Remote Access Trojan, or a rogue patient service representative in a healthcare provider’s billing and collections department copying down a caller’s payment card numbers.
There are numerous real-life examples of such incidents involving the insider threat. For instance, a medical assistant at a Michigan doctor’s office was charged in June 2018 with printing out patient profiles, which contained sensitive personal information, and sharing the information with others who used it to “commit federal crime.” Similarly, in 2017, SSM Health, a St. Louis-based healthcare system, revealed that a customer service representative previously employed in its contact center accessed the records of 29,000 patients who were prescribed a controlled substance. Although SSM Health did not specify which “illegal activities” this individual performed, this situation demonstrates the dangers associated with a storing a wealth of easily accessible patient data.
However, not all “insiders” have malicious intentions. Sheer curiosity can spark a healthcare professional or service rep to sneak a peak at sensitive data. By human nature, employees can’t resist looking into a neighbor, friend or even a celebrity’s file. Even if no data is taken, accessing a patient’s information when there is no legitimate reason to do so is a clear violation of the Health Insurance Portability and Accountability Act (HIPAA) and can incur fines anywhere between $100 and $50,000 per violation or per record.
Shouldn’t the Hippocratic Oath extend to protect patient data?
Whether data is maliciously or accidentally exposed, the heart of the matter is that the more sensitive information that is accessible, the greater the risk. But the frequency of such incidents leads to an interesting observation: If the modern Hippocratic Oath states, “I will respect the privacy of my patients,” shouldn’t that statement extend to protecting patient data?
I recently spoke with Phil Fasano, CEO and co-founder of Bay Advisors, LLC, and former executive at Kaiser Permanente and AIG, to get his take on the situation. Fasano, who has been advising the healthcare market for decades, couldn’t agree more. “The Hippocratic Oath should extend to protect patient data privacy… period,” he said. “It is not an option.”
Fasano recommends healthcare organizations conduct thorough background checks on all employees (even temporary employees, contractors and contact center workers), replace vulnerable legacy systems and segment networks to better secure patient data. He also described a data privacy and compliance solution he helped create and implement at Kaiser called “Break the Glass.”
“If an employee unnecessarily viewed PHI, the technology alerted the appropriate personnel to take action,” Fasano said. “Similar technologies are emerging that use machine learning and pattern recognition to flag suspicious activity, such as when an employee who views thousands of patients’ records a day, when colleagues only view a few hundred.”
While I can’t stress enough the importance of following best practices and implementing stringent processes, the best way to protect patient data and abide by the Hippocratic Oath is simple: Don’t hold patient data in the first place. Healthcare organizations, whether a doctor’s office, a collections agency, an insurance provider or pharmacy, owe it to their patients to investigate new methods and technologies for keeping as much sensitive data as possible out of their environments. This could involve offloading it to a compliant third party, purging your database and encrypting or tokenizing data you simply can’t remove.
Although we are far from a cure for this data security and privacy epidemic, the healthcare industry owes it to patients to do everything in their power to protect our most sensitive information. It could be a matter of life or death.
Tim Critchley is chief executive officer of Semafone.