More on Risk Management

Be proactive, not reactive, in protecting healthcare data

This form of identity theft is extremely costly to the victim as well as the company that gets hacked.

David Rice, Bisk Education

Identity theft is a major concern for all companies that collect customer data, but potential consequences of data breaches in the healthcare industry can be especially dire, going beyond stealing identities and financial information that occurs in other types of data base invasions.

Aside from the typical repercussions of exposing addresses, Social Security numbers and personal data, medical identity theft can create a dangerous health risk if a thief hijacks a victim's insurance to receive treatment, mixing and confusing medical records.

This form of identity theft is extremely costly to the victim as well the company that gets hacked. Unlike credit card identity theft, where a victim's liability is limited to $50, medical identity theft costs victims $13,500 on average, according to a July 2015 USA Today article.

Healthcare data breaches represented 42.5 percent of all breaches over the last three years, the article said, with 91 percent of healthcare organizations reporting at least one data breach in the last two years.

The number of people at risk was highlighted by two high-profile breaches at healthcare companies that are examples of problems and shortcomings of data protection.

The first was a cyber-intrusion of Anthem, Inc., the nation's second-largest insurer, in which thieves stole records of 78.8 million people, including millions who are not Anthem customers.

Another cyberattack hit UCLA Health System that gave thieves access to records of 4.5 million people.

However, Anthem and UCLA Health have said those records may not have included patient information.

Medical identity theft has become a costly and potentially dangerous side effect of digitizing health data, but healthcare companies may not be equipped or prepared to protect the information.

Best practices for protecting data are not always easy for healthcare companies to follow, as they are usually not IT experts. According to Mayo Clinic Chief Information Security Officer Jim Nelms, healthcare information is more vulnerable than financial information because the industry is often 10-15 years behind in its IT practices.

Encryption of client data, mobile device security policies, written indemnification agreements and a plan that clearly outlines network privacy and the organization's plan for responding to incidents are all important boxes a healthcare company should check off, but the appropriate knowledge needs to be present for that to happen.

The data taken in the UCLA hack, for example, was not encrypted, the USA Today article said.

Medical devices make up roughly 40 percent of the technology being used in hospitals, and with doctors sharing information, security breaches are common, costly and complicated. From crisis management to the likelihood of legal actions, the cost of a single data breach can reach $3.8 million for the healthcare company, according to a study by the Ponemon Institute.

Protecting Health Data

A proactive approach to health data security is the key to reducing costs as well as the time it takes to identify a breach and contain it. Continuous monitoring is now a necessity to maintain the appropriate level of risk management as it provides meaningful, actionable intelligence and reporting rather than just data collection.

One of the biggest risks, however, comes in the form of security awareness for the workforce of a healthcare organization. Frequent, engaging security awareness training coupled with situational training can help limit risk and keep employees up to date and aware of the latest red flags and schemes.

Integration of Business Continuity Management (BCM) personnel who are trained to identify risks, threats and vulnerabilities to the system and develop effective responses that help the organization be more resilient against attacks can benefit companies immensely. Their presence can lower the cost of a data breach as well as speed up the response and containment process.

Additionally, healthcare organizations need to communicate with one another, sharing threat intelligence data and advanced analytics to make systems across the industry more difficult for hackers to penetrate.

The cost of detection has been high for healthcare organizations in recent years due to their lack of preparedness. By educating employees, conducting more frequent vulnerability assessments and increasing data encryption, companies can lower the cost of a compromised record, which in 2014 cost healthcare companies an average of $363 per stolen record.

The Cost of a Data Breach

Data breaches can come with a price beyond the previously stated $3.8 million of the remediation process. Cybersecurity is now a common concern among consumers, meaning a breach can lead to a damaged reputation and a significant loss of business. In 2014, the cost of a breach in terms of loss of business was $1.57 million on average. Therefore, data protection is as much a business challenge as an IT hurdle.

Building a strong security posture has become the priority of executives, many of whom are becoming more personally involved in data security strategy and response systems. Cyber insurance has also become a necessity as remediation costs linked to criminal breaches reached $170 per record globally for all data thefts, with the number of stolen records in the hundreds of thousands in some cases.

Information that can be extracted from health records is extensive and valuable to hackers who obtain it. The market for health information is growing as black market prices for medical records can run 10 times those of personally identifiable information from hacks in other industries.

That demand for healthcare data will continue to make things more complicated. And according to the Mayo Clinic's CISO Nelms, new technologies that are being used for healthcare treatment are not ready to improve security.

"For the next period of time -- I don't know how long -- we are going to have to craft and use things that are going to be marginally successful. Information security in the last few years has changed from stopping things from happening to creating regular, positive change in the reduction of risk," Nelms told the Wall Street Journal.

David Rice writes for Jacksonville University on behalf of Bisk Education, covering health informatics and nursing