Dive Brief:
- Cyber-security experts warn that electronic health record systems are highly vulnerable to attack, and hospitals ought to be proactive about building security instead of just focusing on compliance with government privacy rules.
- Experts said a cyber-attack exposing the medical and financial records of hundreds of thousands of patients is coming; the only question is when. A full identity profile in a single medical record can bring up to $500 on the black market: far more than a stolen credit card because thieves gain access to health insurance and prescription drugs as well as financial information.
- Then again, if hackers want credit card information, it may be easier to steal it from an unsuspecting hospital than from more cyber-savvy retailers, experts said.
Dive Insight:
"What I think it’s going to lead to, if it hasn’t already, is an arms race between the criminal element and the people trying to protect health data," Robert Wah, president of the American Medical Association and chief medical officer at the health technology firm CSC, told Politico. It's happening. The Identity Theft Resource Center said nearly half of 353 breaches it has detected so far in 2014 occurred in the healthcare sector.
The problem arises partly from healthcare providers' need to comply relatively swiftly with federal requirements. Unlike the decades-long involvement of banks and retailers in cyber-security efforts, most hospitals and physicians—aided by $24 billion in federal HITECH funds—shifted from paper medical records to EHRs within a few years.
Politico cited a survey in which about half of surveyed health systems said they spend 3% or less of their information technology budgets on security. Only 54% of 283 surveyed IT security professionals had tested a response plan for data breaches, and only slightly more than half of hospitals had an IT leader in charge of securing patient data. Noting that healthcare businesses pay IT security staff less than any other industry, one expert told Politico: "This may be the case of you get what you pay for."