Medical Records Worth More Than Credit Cards to Hackers

Following the data breach at Home Depot, Reuters reported that medical information is worth ten times more than credit card information on the black market.  Just last month Reuters reported on an FBI Flash alert to the healthcare industry about hackers targeting the industry.  This followed the hacking of Community Health Systems, resulting in the breach of 4.5 million patient records.

According to the Reuters article, because medical identity theft is not generally immediately identified, the use of names, birth dates, policy numbers, diagnosis codes and billing information may be used for years before it is discovered. The Identity Theft Resource Center (ITRC) reported that in 2013, the health care industry accounted for 43.8% of the breaches on its list, surpassing those in the business industry for the first time since the ITRC began tracking such data.

Part of this may be due to the regulatory requirements in health care for providers to report breaches, but it is also likely a result of the growth of the use of electronic medical records without a simultaneous growth in cybersecurity.   As quoted in the article, KPMG partner Michael Ebert said “Are you going to put money into a brand new MRI machine or laser surgery or are you going to put money into a new firewall?”

However, the HIPAA Security Rule requires, among other things, that covered entities perform risk analysis as part of their security management processes.  HHS, in its summary of the HIPAA Security Rule,  explains that a risk analysis process includes, but is not limited to evaluating the likelihood and impact of potential risks to e-PHI; implementing appropriate security measures to address the risks identified in the risk analysis; documenting the chosen security measures and, where required, the rationale for adopting those measures; and maintaining continuous, reasonable, and appropriate security protections.  It is expected that risk analysis is an ongoing process which periodically evaluates the effectiveness of security measures put in place and regularly reevaluates potential risks to e-PHI.

Speak Your Mind