“Who would want patient data?”
This is what plenty of healthcare workers are asking their information security co-workers. As it turns out, healthcare data is the new credit card number. Stolen credit card numbers are easy to get your hands on, but because of this, security against credit card fraud has increased significantly over the past few years; the lifespan of stolen credit card numbers is shrinking, but the same can not be said for healthcare data. Patient information can be used for fraud, insurance scams and illicit drug purchases, and because of the lack of awareness around this issue, that stolen data can bring thieves a lot of profit.
Setting the scene: Healthcare cybersecurity statistics
- The percentage of healthcare organizations that have reported a criminal cyber attack has risen to 40% in 2013 from 20% in 2009.
- The average cost of data loss or theft to a health care organization is estimated to be $2.4 million in 2014, an increase of 20% from 2013.
- Complete health insurance credentials sold for $20 a piece on underground markets in 2013, according to Dell SecureWorks. That is 10 to 20 times more than a U.S. credit card number with a security code.
- In late August 2014, Community Health Systems, the second largest for-profit U.S. hospital chain, disclosed that Chinese hackers exploited the Heartbleed web security flaw to steal data on 4.5 million patients.
If you take a good look around a doctor’s office, security flaws are abundant – even to an untrained eye. So why aren’t they fixed? Why do employees leave themselves logged in on hallway computer stations or let patients view screens that contain data for multiple patients? Because security is not a top priority and here are just a few reasons why healthcare workers are uninspired to diligently practice information security:
- They can’t remember all the passwords required for all the different programs.
- Time is precious in places like the ER. There is no time for multiple-factor authentication.
- They don’t understand how patient data can be exploited.
- It seems pointless to log out if using the same room all day.
Some of these concerns are valid, but they should be used to inspire new security methods, not as excuses to avoid security measures.
The HIPAA effect
There is no doubt that Health Insurance Portability and Accountability Act (HIPAA) has changed healthcare security for the better. In 2005, healthcare organizations needed to begin compliance with HIPAA’s final rule – security. While the security rule complimented the previously enacted privacy rule, the security rule deals specifically with Electronic Protected Health Information (EPHI). It requires providers to comply with administrative, physical, and technical safeguards.
Since 2005, healthcare organizations have created security policies, talk about security at workforce training sessions and they have hired designated security officials. All of these efforts have increased security, but not enough.
As a security professional in the healthcare industry, the best thing you can do right now is spread awareness. All the security technology and tools in the world will not keep your data safe if employees don’t feel compelled to use them.