Anthony Patane, CIO/HIPAA Security Officer, NRAD Medical Associates
Move aside, credit cards. Medical records are the new big thing on the black market
Health Information threats have become increasingly more difficult to control. According to the Ponemon Institute’s, “Fourth Annual Benchmark Study on Patient Privacy and Data Security,” criminal attacks on healthcare organizations have increased by 100 percent since 2010 with over 90 percent of healthcare organizations reporting to have had at least one data breach in the past two years. Health information is now more valuable on the black market then social security numbers (SSN) and Card Verification Value (CVV) numbers, which has caused threat organizations to shift their focus to the more lucrative options.
“Health Information threats have become increasingly more difficult to control”
Why do they want my health information?
When a threat organization steals your health information, they have obtained pieces of your medical identity that can provide them with the ability to execute medical transactions (for instance, obtain medical care, purchase prescription drugs, obtain health insurance, or submit fake billings to Medicare in your name) as if they were you making those transactions. For the fraud victim, medical identity theft could have consequences that reach much further than financial impact. Threat organizations using medical records to obtain care could cause treatment and diagnoses information to be recorded on the fraud victim’s record, creating the risk of the victim receiving improper care in the future. On the black market, health and health insurance records are worth around $10-$20 (significantly higher than credit card data which are worth between $1 and $2).
Who are we up against?
Threat organizations are the individuals or groups that target your health information. These organizations could include: criminal groups, business competitors, hackers, activists, or the biggest one, insiders, among others. Insider threat is a risk that comes from people within an organization (linkehospital, clinic, clearinghouse, and health insurance company), such as current employees, past employees, or business associates, who have knowledge concerning the organization’s security practices, data, and computer systems. Insider threat is the root cause of most data breaches reported by healthcare organizations, and is one threat vector in particular that organizations should continuously work to minimize.
What is considered to be “health information”?
The Health Information Portability and Accountability Act (HIPAA) of 1996 defines health information as, “Any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.” This definition is further defined for “individually identifiable health information,” which accounts for health information that can identify an individual, or can be used in conjunction with other information to identify an individual. Health information can include your name, SSN, Medicare number, medical record number, health plan beneficiary number, insurance number, certificate or license numbers, license plate numbers, and many others.
Health records tend to contain a large portion of these examples (including information about other insured individuals [spouse or family]) which is why threat organizations consider them to be highly valuable. Medical identity theft can damage lives, credit ratings, and waste taxpayer dollars. It could also be life threatening to an individual if improper treatment is provided to a patient whose health information was altered from another individual's use. For organizations that regularly handle health information, consider enlisting in a third party to identify your critical information assets, how they are stored, how they are handled, and how they are protected to ensure that strong layered defenses are in place to protect your data against known cyber threats.
Anthony has over 20 years as a 'hands on' IT Leader for small/medium sized to multi-billion dollar companies including several large Hospital systems, one of the Northeast’s Healthcare leaders in Radiology and multispecialty practices as well as a national Anesthesia company. He is Six-Sigma certified and holds a certification as a Project Management Professional (PMP). Anthony's recent projects in healthcare includes: implementation of several Electronic Medical Record (EMR) solutions including Epic and ADS, developing and execution of HIPAA security audits and system design, integration of business-wide applications (clinical and business), enabling a Virtualized environment for improved provider efficiency, infrastructure designs and standardization, and strategic development. He has helped with Meaningful Use attestation efforts for providers that included reimbursements of over $2 million dollars.