This article first appeared on 1776dc.com on November 14, 2014.
We are all used to the steps banks take to protect our financial information. They range from security questions when we log in; telephone verification calls to activate new cards; and that annoying practice when we make a series of quick transactions and the last one gets declined until we verify with the bank who we are.
But we accept all of these because we understand that the practices are intended to protect us from someone stealing our (or is it the bank’s?) money.
Yet, we do not insist on the same level of protection when we go to our doctor. While we view our health data as being private, we do not necessarily think of it as being valuable. We are happy to share it with anyone that asks, recycling our health insurance data, medical history and payment information on form after form. Of course, we may restrict what we share with regard to diagnosis, but we willingly sign the HIPAA waiver telling the doctors they can share our data with pretty much whoever they want (fortunately the law restricts that to only those involved in treating or billing us).
Yet, here is the truth: Health data can be far more valuable to criminals than financial data. According to the World Privacy Forum, a stolen credit card or Social Security number fetches $1 or less on the black market—but a person’s medical information can yield up to $500.
What causes this? The aforementioned financial protections mean that a criminal who has your credit card details may be able to run up a few hundred, or even a few thousand dollars, in purchases. But between your card’s limit and the fraud protection measures, the card is typically shut down within a day or two. You are then issued a new credit card with a new number.
However, your health information does not change. With sufficient details, criminals can create a new identity, allowing them to create all kinds of frauds for months or even years. A single false identity can generate a perpetual income stream of tens of thousands of dollars. A common use for health data is Medicare fraud, which can go undetected for years. According to the FBI, Medicare fraud totaled between $17 to 57 billion in 2011. And while not all of this was related to stolen health records, this number is growing.
Additionally, criminals may also use a person’s health information to make false claims for medical services or goods. The impact of this goes beyond the fraud itself: It often results in erroneous information being added to a person’s medical record, causing potentially harmful outcomes for that individual.
So why don’t hospitals and insurance providers offer the same protections as the financial or retail institutions? Most health care systems are simply not geared up to do so. With the introduction of regulations such as ‘Meaningful Use,’ more health organizations are putting health data online in the form of Electronic Health Records or providing patients with mobile- and cloud-based access to improve the delivery of care. While the same regulations demand these organizations also put reasonable protections in place, there is no doubt the health-care industry is playing catch up in its ability to protect against major exploitation.
Criminals are aware of this making healthcare organizations an increasingly attractive target.
Grant Elliott is the founder and CEO of Ostendio.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at email@example.com.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.