Right now, healthcare data security is not, shall we say, a model for other industries. Experts in the field warn that not only can hackers get into many networks, they can slip into your medical devices—from infusion pumps to MRIs—and cause them to do nasty things. To my knowledge, no one has been killed by a marauding cyber-attacker messing with a device, but given how easy it is to do, it's only a matter of time.
But if you think that's bad news, brace yourself: it gets worse. According to security experts, who have been watching with alarm as healthcare organizations continue rely on old, outdated computers and software, healthcare data is worth 10 times more than your credit card number on the black market. That's because criminals has figured out how to use stolen data, such as names, birth dates, policy numbers, diagnosis codes and billing information to make big money.
Turning data into cash
For example, these criminals create fake IDs to buy medical equipment or drugs that can be resold, or combine a patient number with a faked provider number and file fictitious claims with health plans, according to experts quoted by Reuters. As Reuters notes, crimes resulting from medical identity theft may not be identified by patients or providers for years, giving criminals plenty of time to make their ill-gotten gains last.
If you thought HIPAA penalties were bad, and they are, imagine being responsible for theft on this scale. The law doesn't seem to have caught up with the financial impact of this sort of slip, but my guess is that as medical identity theft and insurance fraud become more common, legislators will want to hold someone's feet to the fire, and providers are a nice fat target.
What can healthcare do?
So what should healthcare providers do? Well, for one thing, researchers say, healthcare organizations can begin to treat cybersecurity as a strategic issue rather than a tactical one, reports BitSight Technologies. According to BitSight, that's why financial institutions and electric utilities in the S&P 500 get superior security ratings compared to healthcare and retail firms in the same tier.
Another obvious step to take, BitSight notes, is to make cybersecurity a priority in IT spending. Unlike, say, banks, executives with healthcare companies typically don't see cybersecurity as a critical issue. As a result, they don't spend enough to protect their data, but instead only make sure they're in compliance with regulations such as HIPAA. And that's a big mistake from a security standpoint, as a provider can be completely HIPAA compliant and at the same time, completely open to cyber attack.
Unless healthcare organizations do something to close their many security holes—some of which a canny 14-year-old could exploit—it's a matter of when, not if, they face data theft. Now is the time to make the cultural shift necessary to truly lock that data down.