From: Healthcare Informatics
by Rajiv Leventhal
Industry expert weighs in on the most pressing issues surrounding data security
In healthcare, the access to data and information is so strongly demanded by patients, providers, payers and employees, that it is fast becoming a target of security and risk. Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) require organizations to implement safeguards to ensure the integrity and privacy of patient records. However, because the wealth of data in the industry that can be monetized by cyber criminals, healthcare organizations are now increasingly vulnerable to cybercrime.
Thus far in 2013, 48 percent of reported data breaches in the U.S. have been in the medical/healthcare industry, according to a breach report in May from the Identity Theft Resource Center. In 2012, there were 154 breaches in the medical and healthcare sector, accounting for 34.5 percent of all breaches in 2012, and 2,237,873 total records lost, the breach report found.
Undoubtedly, the proportion of healthcare data breaches is rising fast, with the largest majority targeting patient’s personal information. And industry-wide, organizations simply aren’t doing enough to prevent theft by employees and unauthorized personnel, says Jason Polancich, a 20-year veteran of the U.S. intelligence community and co-founder of HackSurfer, a Glenelg, Mich.-based independent analytics and media firm founded in 2012 that provides information to businesses regarding the cybercrime threats they face.
Earlier this year, HackSurfer announced the launch of its service to the public. Polancich says his goal is to create the world’s largest cybercrime event data warehouse, so people have basically the equivalent of weather information, which would include the industry that got hit, what happened, who did it, and how they did it. Polancich recently spoke with Healthcare Informatics Assistant Editor Rajiv Leventhal about how data breaches occur, what the biggest data security challenges to healthcare organizations are, and how organizations can better prevent and anticipate these attacks. Below are excerpts from that interview.
What makes healthcare data so wide open for cybercrime? Is this an issue that is worse than ever before?
Yes, in a few respects. There are complex analytics that we love about healthcare and cybercrime—particularly, how the crimes are being carried out and what they’re resulting in for the practices. Employee negligence and data theft are the two big reasons for it; people see healthcare as a serious treasure trove for personal identifiable information. For healthcare organizations, IT security is not often the first concern—I’m not saying that it is not paid attention to, but it is not a main priority. As such, people tend to have easier access to the data, including everyone down to the secretary who schedules appointments. Leaving data out, leaving laptops open, leaving medical equipment that stores patient data around are key problems. We see that more in healthcare than in any other industry.
What types of attacks are most common?
Data breaches are most common, and they can occur in a few says. Either employees are stealing the data, such as pharmaceutical and prescription data, and selling it, or they’re selling identities so these crime drug rings can use them to go out and falsify other information. But it’s all about the data. What can they get access to and what can they sell? So primarily what we see are network intrusions, or employees being paid to provide access to networks and systems. Employees are helping the bad guys for profit, and we’re seeing more of that this year.
What prevention methods can organizations take?