Patient health records – how secure are they? Fast on the heels of the Anthem breach, news of the Premera Blue Cross cyberattack overtook the headlines. According to a Redspin Report, more than 40 million Americans suffered a breach of their personal health information between 2009 and 2014. Of the PHI data breaches in 2014, more than 50 percent were due to hacking attacks; unauthorized access or disclosure was the cause of a third of the hacks. However, as many institutions prefer to avoid the liability, costs and damage to their reputation that result from disclosure and notification, many breaches go unreported, so that the actual numbers might be much higher. By Amit Cohen, CEO, FortyCloud
By Amit Cohen, CEO, FortyCloud
Patient health records – how secure are they? Fast on the heels of the Anthem breach, news of the Premera Blue Cross cyberattack overtook the headlines. According to a Redspin Report, more than 40 million Americans suffered a breach of their personal health information between 2009 and 2014. Of the PHI data breaches in 2014, more than 50 percent were due to hacking attacks; unauthorized access or disclosure was the cause of a third of the hacks. However, as many institutions prefer to avoid the liability, costs and damage to their reputation that result from disclosure and notification, many breaches go unreported, so that the actual numbers might be much higher.
The implications for those who have experienced a breach are many, including the risk of identity theft, illegal use of prescriptions, and billing information. The cost of restoring identity after a medical theft incident has been estimated at $20,000. The American Health Information Management Association (AHIMA) provides a number of recommendations as to the measures consumers should take to check their own records for fraud or breaches. These include contacting the insurer or provider about charges for care that was not received, even when no money is owed. In addition, certain “free” medical services or treatments may just be attempts to obtain names and insurance information for use in fraudulent claim submissions.
However, the most serious consequence for identity theft victims can be the alteration of their medical records. According to a Ponemon Institute study, 57 percent of the identity theft victims never check their medical records to verify that the information is accurate. Disturbingly, approximately 25 percent indicate that after the identity theft they were misdiagnosed or mistreated, due to inaccuracies in their health records – a potentially life-threatening situation. Data can never be removed from a medical record, only annotated; therefore, incorrect information can be potentially harmful for a lifetime. Despite this real risk, over 40 percent in the study did not take any action to resolve the theft or prevent another such incident.
Some of the difficulty in checking the accuracy of a medical record is that medical records are not stored in central repositories; therefore aggregating the data can be problematic. Should sharing and consolidation of Electronic Health Records (EHRs) become more widespread it will be easier for patients to verify their records. As more healthcare organizations are moving their resources to the cloud, access to EHRs should become more efficient. The cloud offers continuous availability, flexible backup/recovery solutions, device diversity and location independence, all of which enhance the provider’s ability to coordinate patient care and administration.
On-premise or in the cloud, the downside of centralizing EHRs may be the increased perils of hacking and infection with malware and viruses. Threats are not just external; unapproved or malicious use of organizational resources caused 15 percent of the security incidents in healthcare in 2014. Employees who access the provider’s resources remotely are an added risk, should their devices be lost or stolen. The first step organizations can take to protect their resources is to encrypt their data in transit and at rest, no matter whether resources are stored in the cloud, in physical data centers, or in a hybrid deployment. In addition, organizations, like their consumers, must constantly monitor their resources and logs to detect breaches and harmful activity as early as possible.
In addition, healthcare organizations and providers need to ensure that they enforce identity-based access management policies for anyone accessing the organization’s resources. Proper identity-based access management policies assure that employees are not able to access unauthorized data. The establishment of multi-factor authentication ensures that those who steal or find lost devices will not be able to reach internal resources. Multi-factor authentication also protects individual consumers if the device they use to access their EHR is lost or stolen since the finder cannot modify the records.
Identity theft of healthcare records is not only damaging financially but can potentially result in life-threatening, erroneous medical treatment based on distorted information in the EHR. Individuals can protect themselves by safeguarding their passwords and health insurance information, in addition to regularly checking their healthcare and billing records and credit reports. Organizations should ensure that they institute a HIPAA-compliant solution that uses encryption, access management and firewall policies, combined with event monitoring capabilities and alerts.
About The Author
Amit Cohen is co-founder and CEO of FortyCloud, which was founded to promote the secure migration of enterprises to the public cloud.