The business of selling patient records

January 19, 2015

Medical practices need to inoculate themselves against security break-ins by performing a Security Risk Assessment. A Security Risk Assessment looks at how patient information is currently protected.

Criminals are after your patients’ medical records, plain and simple. The number of criminal cyberattacks reported by healthcare organizations jumped to 40% in 2013 from 20% in 2009, according to an annual survey by the Ponemon Institute. Whether it’s an ex-employee with a grudge, a crime ring defrauding the government, or a nation state hacking a giant enterprise, these criminals see big profits in the health data residing on your organization’s computers. 

One anonymous emailer threatened to release the medical records of clinic patients from a hospital in Illinois if he didn’t receive a substantial ransom.  In California, narcotics investigators took down a drug ring and confiscated thousands of patient records allegedly being used to obtain prescription drugs to produce methamphetamine.

The financial incentive to steal patient information is huge - one lost or stolen patient record is valued at $50 on the black market. Some sources estimate that medical information is worth 10 times more than a credit card number.  

Surprisingly, criminals selling health information on the black market is a risk largely being ignored by senior management, according to a recent article in the Wall Street Journal (December 22, 2014).  Medical practices need to inoculate themselves against security break-ins by performing a Security Risk Assessment.  A Security Risk Assessment looks at how patient information is currently protected.  It identifies potential exposures and recommends measures designed to prevent the likelihood of a threat and lessen its impact.   Security Risk Assessments consider such questions as: How often does the practice perform data backups? Is there a termination procedure? Do employees have the minimum level of access to patient information? 

Here are the areas that Security Risk Assessments target to protect valuable patient information:

Inventory patient information – Locate where patient information is stored, accessed, or transmitted. Patient information could be EHRs (Electronic Health Records) but could also be Microsoft Word documents as patient letters, Excel spreadsheets as billing reports, or scanned images of EOBs (Insurance Explanation of Benefits).  These documents could be on employee's desks or on laptop computers. Patient information could also be in emails or text messages in smartphones or tablets. 

Secure and protect all portable devices – This step is particularly critical for devices that contain patient information. Point of fact: according to IBM’s 2014 Cyber Security Intelligence Index Report, breaches are much more likely due to human error - like lost devices - than to hackers.

Encrypt your data not only to protect against attacks, but also to help alleviate any potential penalties. Regulators will take into account whether a firm did all it could to protect the data. 

 

Everyone is a target – from a small medical practice to billion dollar companies like Sony. Think twice before you take your patient records home to review their digital x-rays.  A hacker may be viewing them too.