In light of the recently reported large healthcare data breaches that have resulted in the potential theft of the personal information of millions of patients, the FBI warned healthcare providers yet again of the dangers of cyber attacks.
Healthcare providers, already sensitive to the need for increased patient data protection in response to the 2013 amendments to HIPAA that strengthened security requirements and imposed more severe penalties, have even more reason to be cautious with regard to patient health information. Hackers have increased their focused attacks on the U.S. healthcare industry. According to an annual survey by the Ponemon Institute, healthcare organizations reporting a cyber attack increased from 20 percent to 40 percent between the years 2009 to 2013. Security experts attribute this increase to the healthcare industry’s weak security standards coupled with the profitability of patient health information.
Many healthcare-related companies rely on aging computer systems with dated security features. The vulnerability of patient information to cyber attacks is only exacerbated by the dramatic shift from paper medical records to electronic records by providers in recent years. Adding to the concern, the theft of medical information is far more lucrative to would-be criminals than credit card information. Health information (which includes such data as patient names, birthdates, policy numbers, diagnosis codes and billing information) can be sold on the black market for 10-20 times the value of a U.S. credit card number. Additionally, unlike credit cards, which may be quickly canceled once fraudulent activity is detected, it often takes months or years before patients or providers discover the theft of medical information.
A breach of patient information not only may cause providers to incur costs due to compliance with federal and state breach notification requirements, but also may subject a provider to significant administrative penalties. While providers may cite budgetary concerns as preventing them from investing in updated security measures, they must balance these immediate financial concerns with the potential cost of responding to a breach in the future, with attendant regulatory investigations, civil monetary penalties and lawsuits that may follow.