The importance of cybersecurity has received a lot of news attention lately with Target and eBay both making headlines due to massive IT security breaches involving people’s financial information. Huge numbers of individuals were forced to cancel their credit cards as well as their bank and PayPal accounts and open new ones. The risk of hackers discovering a person’s financial information was great, but the remedy, although inconvenient, was fairly simple.
When cybersecurity breaches involve stealing personal health information (PHI), the damage to the individual may be permanent. There is no way to cancel a person's PHI.
The healthcare industry trails other industries in implementation of IT security measures
The chief technology officer (CTO) of a security rating firm, Stephen Boyer, recently noted, in an article published at Information Week Healthcare, that healthcare organizations are lagging behind other industries in responding to cybersecurity attacks.
Boyer referenced his company’s recent report, Will Healthcare be the Next Retail, which analyzed the number of IT security breaches experienced by four industries: financial, utilities, retail, and healthcare and pharmaceuticals (healthcare). Between April 1, 2013, and March 30, 2014, the time that was studied, healthcare experienced the greatest increase in numbers of security breaches and had the slowest response time when compared to the other three industries.
The other three industries responded to breaches within 3.5 to 4 days. Healthcare in general took a full five days to respond cyberattacks. Boyer finds this lag time by healthcare, in even beginning to remediate IT security attacks, disturbing.
The Department of Health and Human Services (HHS) is hoping to rectify this problem and is imposing bigger fines and greater consequences for security breaches. It recently settled an online security breach of HIPAA server regulations with New York-Presbyterian Hospital and Columbia University for $4.5 million. This is the largest penalty that has ever been imposed on a healthcare provider for the use of a compromised server.
Motivation for theft of PHI
Cyber thieves can sell each credit card on the black market for $1 a card. In contrast, one patient’s PHI sells for $20. Some thieves use the information to blackmail victims of PHI theft with threats to release the information to the public if the victims do not pay the PHI ransom to get back their records.
Other PHI records are sold to those who use the records as their own. They seek treatment and prescription drugs using the PHI record. This all goes on the PHI of the victim. The now erroneous information on the victim’s PHI may make a difference between life and death when further treatment is needed. The records are no longer accurate.
Healthcare organizations need to improve their IT security to prevent more PHI breaches
Boyer notes that a major problem with IT security in all healthcare organizations is that, until recently, HIPAA privacy regulations have been sufficient to prevent leaks, and most breaches have been due to human error and accidental release of information as opposed to intentional cyberattacks.
Unfortunately, being HIPAA compliant is no longer enough to prevent IT security breaches. Older healthcare organizations need to update their technology to be sure they have the best possible cybersecurity. Otherwise, patients are going to switch to providers they can trust to have the most advanced IT security systems.
There is also a concern that patients will not be as open with their healthcare providers, keeping some vital health information to themselves for fear that a breach could reveal their private information. This may compromise treatment and be seriously detrimental to a patient’s health.