Healthcare will be a hotbed of consumer data breaches in 2014, according to an Experian report, "2014 Data Breach Industry Forecast."
"The healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014," according to the report (registration required), which addressed healthcare risks as one of six major trends. "The sheer size of the industry makes it vulnerable when you consider that as Americans, we will spend more than $9,210 per capita on healthcare in 2013. Add to that the Healthcare Insurance Exchanges (HIEs), which are slated to add seven million people into the healthcare system, and it becomes clear that the industry, from local physicians to large hospital networks, provide an expanded attack surface for breaches." The "attack surface" of a system refers to the parts that pose the greatest opportunity for attack or error.
Best known as a credit bureau and consumer data tracking service, Experian also has a business helping companies recover from personal data breaches. The company has had its own data security problems this year. Michael Bruemmer, vice president of its breach resolution service, Data Breach Resolution, and author of the report, said healthcare accounted for about 46% of the breaches his division serviced in 2013 -- and he expects that to rise significantly in 2014.
[Peer-to-peer patient data? Read Patient Data On Filesharing Service Provokes Legal Trouble.]
Bruemmer said he is basing this prediction at least partly on reports of security risks posted by the HealthCare.gov website and the health insurance exchanges established by various states. The web infrastructure to support health insurance reform was "put together too quickly and haphazardly." The most glaring problem for these sites has been their inability to keep up with consumer demand. The organizational infrastructure behind the implementation of Obamacare is also complex, meaning that many parties have access to the personal data and could misuse or mishandle it. "So we have volume issues, security issues, multiple data handling points -- all generally not good things for protecting protected health information and personal identity information."
Another factor: In 2014, the industry will feel the full force of tightened rules that that went into effect in September for protecting health information and disclosing breaches.
Part of the problem is that many participants in the healthcare industry, such as individual doctor's offices, don't think of themselves as being in the data management business, so they are inadequately prepared to protect data against the threats that exist today, according to Bruemmer. In most cases, data breaches have less to do with advanced hacking techniques than with lost laptops, failing to shred paper records, and other employee errors. Though the threat from malicious insiders is significant, a bigger threat is "people doing dumb things."
In the IT realm, there are stories of people installing anti-malware software but forgetting to turn it on. "And then there's my favorite: where the people in the network operations center actually left the door unlocked, and another employee came in, sat at a console, and played around with the system to see what he could get."
Overall, Experian's remediation group worked on more than 2,200 breaches in 2013, versus 1,700 in 2012. In three of the top 10 breaches, the error was traced to a system administrator's sloppy password practices, such as neglecting to change a default password or carelessly sharing the password.
Whether stolen or accidentally disclosed, healthcare data is valuable, and that makes it a target. On the black market, personal records suitable for use in identity theft are worth $10-$12 each at the low end or maybe $25-$28 for a particularly attractive identity, he said. When enriched with health data, the value of an identity data set jumps to about $50 per record, because then it can be used for medical and insurance fraud.
"The threat is out there, and the threat is going to get bigger," Bruemmer said. "The point is to ensure that you're prepared and have a plan in place."
Though the online exchange of medical records is central to the government's Meaningful Use program, the effort to make such transactions routine has just begun. Also in the Barriers to Health Information Exchange issue of InformationWeek Healthcare: why cloud startups favor Direct Protocol as a simpler alternative to centralized HIEs (free registration required).