Are Health Data Breaches An Epidemic?

By Ken Congdon

By Ken Congdon, Editor In Chief, ken.congdon@jamesonpublishing.com
Follow Me On Twitter @KenOnHIT

As the healthcare industry continues to digitize patient data as part of the EHR movement, instances of reported health data breaches are on the rise. In the past few weeks alone, the following notable security breaches made headlines across the country:

• The Utah Department of Health suffered a data breach in March 2012 when hackers broke into a Medicaid server and removed patient files. Nearly 800,000 patients were affected and approximately 280,000 unencrypted social security numbers were exposed. Experts say this breach could result in 122,000 cases of fraud.
• In April 2013, the William Jennings Bryan Dorn VA medical center notified 7,405 patients that an unprotected laptop containing their personal health information was stolen. The organization now faces a federal lawsuit as a result.
• The prescription information of 788 customers of a Little Rock, AK Kmart pharmacy was compromised when thieves stole a backup device from the retailer.
• Altamonte Springs, FL-based Adventist Health System/Sunbelt was slammed with a class action lawsuit for allegedly failing to safeguard the protected health information of more than 763,000 patients in its electronic database. Emergency room workers at the health system were supposedly involved in selling access to patient data.

All this bad press has many healthcare providers wondering if the security risks of digitizing health information will ultimately be worth the anticipated rewards. Some even feel that health data would be more secure if we continued to record and store it in paper format. Do these providers have a point? My answer to that question is no … and yes.

Health Data Breaches Small Compared To Other Industries

First, let’s take a closer look at the actual size and scope of the health data security problem. Sure, the seemingly frequent headlines of healthcare security breaches are troubling. However, according to a Verizon 2013 Data Breach Investigations Report, less than 1% of the 621 data breaches disclosed in 2012 affected the healthcare industry. The vast majority of breaches affected the financial industry, followed closely by retail. Moreover, 75% of the breaches reported in 2012 were financially motivated.

Now, many will argue that the healthcare’s digital immaturity is a primary reason for its comparably low breach numbers. These individuals will argue that as the industry becomes more electronic, these numbers will rise exponentially. This may be true, but even if the breach statistics in healthcare could potentially grow to mirror those currently seen in finance and retail, should this derail the digital health movement? Of course not.

Even though the majority of health data breaches impact the financial industry, I doubt you’d find too many financial institutions that would opt to revert to the days where paper deposit slips, checks, and face-to-face interactions with bank tellers or brokers were the only ways to complete transactions. Likewise, I doubt you’d find too many retailers that would choose to revert back to the days before e-commerce. Why? Because the benefits of digitization (e.g. convenience, cost-effectiveness, speed, etc.) outweigh the risks — both from a business and consumer standpoint.    

The characteristics (e.g. accessibility, portability, exchange, analysis, etc.) that make digital data networks so effective in the financial and retail industries should translate to healthcare as well. The problem is most healthcare providers (and particularly their patients) have yet to experience the benefits digital health data can provide. There’s been no payoff for most providers yet — only risk. This should change as the technology and industry continue to evolve.

I’m not trying to downplay the significance of electronic health data breaches. Data security should definitely be atop all healthcare providers’ priority lists. Lord knows there are a ton of improvements to be made. However, I think the healthcare industry is well positioned to make great strides in this area. As a late adopter, the healthcare industry has the opportunity to learn from the data security mistakes (and successes) of its financial and retail predecessors. While definitely its own industry with its own unique set of data and organizational idiosyncrasies, healthcare has a blueprint for some of the main infrastructure components from these other markets.

Are Paper Records More Secure Than EHRs?

The other point of contention I have with the reaction to health data breaches is the perception by some that paper patient records are somehow more secure than electronic health records. Where did this perception come from? It’s not like paper medical records are stored in a bank vault or guarded by watchdogs. Most sit behind the reception desk at your doctor’s office. Heck, I was at the doctor last week, and I could have easily swiped three patient files that were sitting on the receptionist’s desk when she went to make a copy of my insurance card.

As a form factor, I would argue that electronic health records are much more secure than their paper counterparts. Electronic health data typically sits behind a firewall and is only accessible to those with proper username and password credentials. Paper, on the other hand, can simply be pulled from a shelf. However, while a thief could easily steal one to five paper records, he or she couldn’t easily steal hundreds or several thousand. The potential payoff for a thief in a paper environment is limited. It’s the portability of electronic health data that makes it such an attractive target for criminals. By hacking into a database or stealing a single laptop, a cyber-criminal can potentially gain access to the health information of entire patient populations. The potential payoff for the thief in this scenario is much more substantial.

This same dynamic holds true in the financial world. For example, I’ve been a victim of two financial data breaches in my lifetime. One occurred in the paper world when someone stole new checks from my mailbox and tried to use them. The second occurred a few weeks ago when I was informed my credit card information was likely acquired by thieves that stole hard drives from the VUDU corporate offices. Both occurrences inconvenienced me in the same way. However, the second affected not just me, but several thousand other customers as well. 

The threat of thousands of data records being compromised simultaneously is greater in the digital world. However, we need to do our best to mitigate this threat because the same qualities that make electronic health data so attractive to criminals ultimately make it an invaluable resource for healthcare providers and patients as well. Electronic health data is a risk. We just need to ensure — like in finance and retail — it’s an acceptable one.