Medical records are becoming a big business for all the wrong reasons. While the Obama administration has encouraged health care organizations to invest billions of dollars in electronic health care records, some of the biggest beneficiaries of that program are likely to be cybercriminals.
A new survey of 80 health care organizations conducted by the Ponemon Institute on behalf of ID Experts, a provider of data breach management tools, finds that 45 percent of the organizations surveyed suffered more than 5 breaches and that 51 percent of them experienced an incident involving the theft of medical records.
Medical records have become a huge black market business because they contain so much personal information about people. In fact, it’s hard to think of a single source of such rich data about any individual residing anywhere else.
The survey found that 1.85 million people were affected by medical identity theft in 2012 resulting in costs that are estimated at over $40 billion, and that over 21 million people have at some point been victimized. On average, data breaches are costing health care organizations $1.2 million per incident, says the report.
Larry Ponemon, chairman of the Ponemon Institute, says the core issue is that health care organizations need to apply the same level of security to their records as financial services organizations. Unfortunately, none of them have the budget needed to come anywhere near that level of security, says Ponemon.
With the rise of the bring-your-own-device (BYOD) phenomenon, Ponemon says things are likely to get worse before they get better. Cloud computing, of course, may offer one option to improve security, but because of the way regulations have been worded, interest in using the cloud to run health care applications is relatively light.
ID Experts President Richard Kam says it’s only a matter of time before a catastrophic event shines a spotlight on this whole issue, which when it occurs may wind up derailing the Healthcare Insurance Portability and Accountability Act (HIPAA) initiative altogether. What’s required to really address the issue, says Kam, are annual security assessments, policy reviews and a robust incident management reporting system.