Here’s a startling headline: Your medical records are worth more to hackers than your credit card.
The headline, which appeared in Reuters two years ago, is no less applicable today. Medical information sold on the dark web is currently four times as valuable as a social security number, and the problem of healthcare hacks has skyrocketed. In a recent Ponemon study, 89 percent of healthcare providers surveyed admitted at least one breach in the previous 24 months.
In short, your health data is worth more than you think—and that’s creating big problems for insurance companies and medical practices alike.
Why Criminals Want Health Data
Hacking a medical practice or hospital’s systems is remarkably easy (we’ll get to that later), and once you’re in, the information available on any given patient is often enough to steal their identity.
Think of it this way: once you’re admitted to a hospital or share your information with a medical practice, you’re giving that institution access to your name, birth date, policy number, diagnosis codes, and billing information. In some cases, you could also be giving access to your social security number.
If a criminal can get his or her hands on that information, they can use it to create fake identities that could allow them to buy (and resell) medical equipment or drugs, or they could combine a patient number with a false provider number and file fake claims with insurers (see examples in the Reuters piece above). And because those records often contain addresses, phone numbers and employment history, criminals can also use this information to file fake tax returns.
Health Data Is Expensive and Easy to Hack
The average social security number can be purchased on the dark web for around $15, but a medical record with all of the personal information attached can go for $60 or more.
One reason health data is so expensive is because you can do so much with it (see possibilities above), and medical identity theft can take years to uncover—unlike a stolen credit card, which will be quickly cancelled once fraud is detected.
And since medical facilities tend to invest money in equipment used to treat patients rather than in IT and security infrastructure, healthcare records are exceedingly easy to obtain. Security experts who have seen the inside of medical practices and hospitals regularly report aging computer systems and lax security practices, which in turn lead to more and more headlines about major hospitals facing big data breaches (of healthcare records).
As for smaller medical practices and insurance brokers? They’re getting hit, too—even if they aren’t making headlines for it.
How Hacks Impact Medical Practices and Insurance Companies
Hacked medical information isn’t just valuable to hackers and would-be criminals. It’s also valuable to the medical practices, hospitals, and insurance companies who own the records. A report issued by IBM tallied nearly 100 million healthcare records compromised last year—which, according to the report, made those records a hacker’s number one target.
In fact, insurance companies are citing medical records theft as one reason for increasing insurance premiums (see incidents of medical identity theft above). As for hospitals, hackers will occasionally use stolen records for extortion—either pay to keep them quiet or run the risk of having those records sold on the dark web.
If your practice suffers a breach of medical records, you could face lawsuits, fines, government actions, and the added cost of providing identity theft monitoring services to patients affected by the breach. That is, of course, in addition to the lost trust of the patients to whom you provide services.
What You Can Do to Prepare for Health Records Hacks
Take the position of if you’re going to collect it, be sure you can secure it. That means understanding what security policies you have in place now and what you will need to secure those records. This is something the financial industry has had to do for years, and there is strong suggestion that changes to this effect are coming to the healthcare arena.
Remember, too, to invest in your IT infrastructure. New medical equipment is essential to your practice, but so, too, is patient information security. Old systems can make hacks easier.
Lastly, prepare now before a breach happens. Know what you’ll say to your patients if a breach happens. Have a plan for mitigating the damage. Consult with professionals now rather than after the fact.