The Risk of Cyberattack in the Healthcare Industry
With the number of security breaches we’ve seen in recent years, it’s a good idea to check your bank transaction record frequently, as you can’t be certain whether someone out there is holding your credit card number. However, did you know some criminals are more interested in your medical records?! Thousands of fraudulent credit and debit transactions take place every year while innocent victims go on through life oblivious. If criminals can sneak those right by, imagine what they can do with access to your insurance.
The Health Insurance Portability and Accountability Act
One 1996 law is designed to protect exactly this information from falling into the hands of the wrong people. The Health Insurance Portability and Accountability Act, better known as HIPAA, was conceived to set a precedent that would preserve the privacy of your health records in the information age.
That means hospitals and medical institutions have a whole lot at stake when the bad guys arrive. An information breach is more than just a PR nightmare — a HIPAA violation could result in harsh punishment.
Failure to protect information can be enforced at up to $50,000 per incident, and on average, a single breach costs about $7 million in total damages. Leak a few years’ worth of patient info, and you can imagine it’s not going to be a pleasant recovery. You can’t put a price on the inconvenience and danger that this poses for the victims of a breach.
What do cyber-criminals want?
Cyber-crime is perpetrated because it’s profitable. Even if what you’re experiencing is only the first stage in a many-chambered machine, the result is that someone can make easy money using your information.
In the case of medical records, access to insurance information is the most common payoff. For example, following a recent health care firm breach, an 85-year-old woman received an explanation of benefits for a rhinoplasty.
However, the insurance information available on your medical records isn’t the real hidden treasure. Medical records are extremely comprehensive, and they contain a wealth of static information, such as your physical characteristics, age and Social Security number. All these items run the potential for exploitation through the roof.
When someone steals your credit card information, all you have to do is call the bank to report the theft and request a new card. Steal someone’s address and Social Security number, however, and there’s the potential for outright identity theft.
Where do medical records go?
Just as with most of the information that comes out of data breaches, medical info pulled from a hospital or provider breach typically ends up for sale on the deep web. From there, it might be sold off a single time, but more likely it will remain for sale for some time and fall into the hands of multiple buyers.
The law dictates any time a business is compromised, it is mandatory they notify anyone with potentially affected records. If your Amazon account gets hacked, this notification might do you some good. Changing a password won’t protect your medical info, though, which is why the government has made the stakes so high for health industry businesses when it comes to medical records.
What to do if your records are stolen
The Ponemon Institute found that more than 10 percent of Americans are highly confident their medical records have been compromised, and that number is going to increase in coming years.
Even as healthcare providers gear up with extensive cyber-security solutions to defend against threats, hackers tend to be one step ahead of the game. Microsoft has even critiqued the U.S. government for failing to disclose information that might have stopped some attacks.
Should your medical information fall into the wrong hands, you must remain vigilant. It’s not enough to rely on the systems these huge corporations have in place, even as they deploy layer upon layer of solutions that can trace an attacker’s digital signature.
In the future, advances in security technology will be able to tell us where an attack came from more quickly, and that could possibly lead to swifter takedowns and less exposure of your data. Law enforcement will develop methods of tracking physical assailants in real time, but that could be decades off. For now, it’s a game of odds. You can’t avoid going to the doctor, at least not without the potential for consequences that might be even worse.
If you're interested in writing for International Policy Digest - please send us an email via firstname.lastname@example.org