Addressing the growing problem of data breaches in the health care sector

This is a guest article written by David Balaban. The author’s views are entirely his own and may not reflect the views of IT Governance.

The health/medical and business sectors top the Identity Theft Resource Center (ITRC) Breach List. The health/medical sector alone faces 35.5 percent of the total overall breaches.

Although data breaches at big retail chains like Home Depot may directly come to consumers’ minds when they think of data security, files storing a person’s medical information are capable of making the victim more vulnerable.

Exploitation or misuse of this information can have impacts ranging from medical to financial. Medical records not only have payment details and billing data, which leaves sensitive credit card details open, but also contain other highly sensitive information such as Social Security numbers and other data that can let a fraudster get health services using the victim’s identity.

If the scammer’s medical data is mixed with that of the victim, they could end up getting medication to which they might have an allergic reaction, or the record might store the wrong blood type.

For quite some time, the major cause of lost or stolen patient information was medical workers losing computer devices or having them stolen. Since 2014, however, the biggest cause is online attack.

Companies in the health care sector, such as hospitals, their business partners, and the organizations that work to protect and manage patient data are often targets of cyber attacks.

Nine out of ten health care companies suffer at least one data breach every year. In almost all cases, the theft or loss of sensitive patient data takes place. About 60% of health care subcontractors face similar problems.

There are three main reasons for this. First, the Affordable Care Act 2010 made it mandatory for health care providers to digitally store all health information while the American Recovery & Reinvestment Act 2009 pumped money into the industry. As of now, the majority of this sensitive data is held electronically, which increases the opportunities for hackers.

Secondly, other industries like retail and financial services have become substantially more attentive towards data protection. We see an increasing number of credit cards switch over to EMV, which uses a chip in addition to the magnetic stripe. These are tougher to hack as EMV cards create a unique transaction ID that cannot be used for a second time, unlike the traditional credit card stripe that can be used again and again.

As it becomes tougher to hack such industries and profit from their information, hackers are shifting their activities to more vulnerable sectors like health care.

The third reason is that health care data goes for a higher price on the black market. The FBI has witnessed insurance data being sold for $60-$70 per record on the black market, while only a dollar was given for a Social Security number.

Altogether, this makes the health care industry an ideal target for obtaining sensitive data. Again, it’s easily found, has more value, and medical organizations have ineffective data protection measures because they have not previously seen the need.

The fact that health care companies have adopted digitized records just recently means that their information security mechanisms are not so sophisticated. Their partners may be using better security protocols, but their employees are not as well trained to protect records and devices that have important information.

Hackers have several ways to benefit from patients’ information:

  • Obtaining health care for themselves.
  • Selling this information to uninsured people and reselling to other hackers.
  • Health insurance and Medicaid fraud. For example, a scammer would pretend to sell medical equipment, such as wheelchairs. Every Medicaid number in their possession would allow them to bill the government for a good sum of money for a wheelchair that was never shipped. A similar fraud can be done with prescription drugs.
  • Infecting computer systems with viruses and encrypting medical records in order to obtain ransom payments from hospitals for unlocking their data.

How to protect yourself

As the health care industry is not well equipped to secure itself, people who want to protect themselves from medical identity theft have comparatively fewer options compared with the protection provided by the financial services sector. With that in mind, you can take some measures on your own.

  • Obtain a copy of your medical information from your health care provider and check it to ensure accuracy.

The information that you get should cover your entire medical history with accuracy. If there is something that you do not recognize, it could indicate that your health data has been mingled with some other patient – either a fraudster’s or with some other person sharing your name. It is important to ensure that your medical information, including your blood group and allergies, are correct in case you end up in the emergency room, or require medication or blood transfusions.

  • Read your EOB attentively.

EOB stands for “Explanation of Benefits”. It reads: “This is not a bill” at the top, which is why most people do not read through it. Each time you receive one, you should check if everything is correct. The list of services should be correct, the date should be correct, and the organization mentioned should be yours. If this is not the case, then this is the earliest time to detect if somebody else is taking advantage of your health insurance or any other personal information.

  • Provide your SSN only when necessary.

If you are told to provide your Social Security number, try to find why it is required and if you can avoid providing it. Some institutions have started using their own registration systems for patient data.

  • Check your credit reports regularly.

Get a report at least once every four months to keep a tab on your credit.

  • Make use of medical identity theft tracking services.

There are many companies that provide identity theft monitoring services centered on health care data. These will notify you every time a health care transaction takes place.