On August 18, 2014, Community Health Systems (CHS), a 206-hospital system with over 31,000 beds in 29 states, reported to the Securities and Exchange Commission (SEC) that medical records were stolen from their servers between April and June of this year, taking medical information of 4.5 million patients. This is the largest security breach to date in the healthcare industry according to data collected by the U.S. Department of Health and Human Services.
This recent theft is just exploring the tip of a huge iceberg of security breaches the healthcare system has dealt with in the recent years.
Not including the CHS breach, the U.S. Department of Health and Human Services estimates that more than 30 million people have been affected by medical record breaches, most of which were due to theft. Over the last 10 months, for example, security firm Websense has seen attacks on healthcare-related firms increase by 600%. The industry also ranked first on the Identity Theft Resource Center’s list of data breaches for the first time in 2013.
The healthcare industry has not prioritized IT security even if revolutionary changes in the system has a lot to do with technology, shifting to electronic medical records and utilizing data for research and trend forecasting. It has been spending less on protecting its systems and data than most industries. According to a February 2014 survey by the Health Information and Management Systems Society (HIMSS), the average healthcare firm spends only about 3-4% of its IT budget on security.
It is clear that security is not a priority for the healthcare industry and this makes them seemingly readily-available and ripe as target. The cost of breaches to the healthcare industry is estimated to be in the billions, but according to a 2013 study, only about 69% of organizations have a breach plan in place.
Patients are Biggest Losers in Healthcare Data Breaches
While hospitals stand to lose millions worth of dollars in data breaches, patients bear the biggest brunt of it all because all information about them in their medical records are ALL valuable. Records hold Social Security numbers and other personal information which can be used for identity theft.
While health records are not like credit cards, data contained in medical records are considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and Social Security numbers.
Social Security numbers are “the single most important piece of government-issued identification an American citizen can have, and the most valuable piece of ID cybercriminals can get their hands on”. Unlike credit card information which has built-in mechanisms to protect from fraudulent use, medical records do not have such built-in protection.
Securing Healthcare IT Systems is Important
There are always ways to keep cybercriminals from stealing valuable patient information.
1. Have a security policy that implements a program that does continuous risk monitoring. Annual security updates and scans won’t do the trick anymore, given how complex healthcare IT systems have been getting. IT security works no less than having security guards work around the hospital round the clock. It should be the same.
2. Monitor areas of vulnerability. There are weak links in the IT system, places where hackers can get into easily, and these need to be identified and fixed. Passwords, according to experts, are quickly becoming health IT’s weakest link.
3. Have an IT security professional. Experts agree on hiring providers to handle the job. While other sectors may not understand the intricacies of hospitals as well, they might have more security experience than people in the health IT field do. An expert can monitor the changing IT landscape and plan ways to resolve its issues.
Investing on Healthcare IT Security is Important
Despite overwhelming evidence of the need to invest on IT security, healthcare organizations still struggle to put their money into fortifying their IT system. We really can’t blame them as patients are the focus of the industry. Patient health or infrastructure would be a more obvious benefit.
However, healthcare organizations need to realize that focusing on IT security will be a way of taking care of patients – their valuable personal information and most importantly, their trust. Hackers are getting more sophisticated and aggressive; hospitals need to step up their game as well. IT security is not a one-time investment but a continuous process of monitoring, upgrading and mitigating attacks. One thing is for sure – investing on IT security is certainly more affordable than cleaning up the mess and dealing with the losses once a data breach happens.