Here’s a fact that might surprise you: Your healthcare information is worth more to hackers than your credit card number. A LOT more. Forbes reports that a credit card number is worth 25 cents on the black market, but an electronic medical health record (EHR) is often worth hundreds or even thousands of dollars.
Why? Well, health records include most of the information a criminal needs to commit identity theft, medical fraud, tax fraud, insurance fraud and related crimes, so they are extremely useful. And since most the data (such date of birth and Social Security number) can't be changed the way credit card numbers can, each health record offers value for years to come. That makes stealing this particular type of data quite a lucrative business.
And cyber criminals aren’t just stealing medical records one or two at a time — they’re swiping whole databases for big payoffs. For example, a McAfee report shows multiple listings of healthcare databases for sale on the dark web, including one with 397,000 EHRs offered for 300 Bitcoins. Sometimes the listings even boldly include evidence that the seller truly breached the healthcare organization, which presumably commands top dollar (or Bitcoin).
Because healthcare data is so sensitive and so sought after by attackers, healthcare organizations around the world are subject to a wide range of compliance regulations and requirements. Although they all share a similar goal — protecting the privacy and integrity of healthcare data — they have important differences. Here are some of the most important ones to know about:
- HIPAA — The U.S. Health Insurance Portability and Accountability Act requires both entities providing direct care and their business associates to protect individually identifiable health information. The HIPAA Privacy Rule mandates protections for health information that can be associated with an identifiable person, while the HIPAA Security Rule is requires measures for ensuring the confidentiality, integrity and availability of protected health information. In addition, HIPAA requires healthcare organizations to offer a security awareness and training program for staff members, including management.
- HITECH Act — The Health Information Technology for Economic and Clinical Health Act was designed to stimulate EHR adoption in the United States, expand the protection of electronic protected health information, and ensure the public posting of data breaches involving protected health information of 500 or more individuals.
- HIPAA Omnibus Rule — This rule changes various privacy and security requirements in HIPAA to bring them into alignment with the HITECH Act. Among other things, it makes business associates of covered entities directly liable for compliance with certain requirements; allows patients to request a copy of their electronic medical record in electronic form; sets new limits on how information can be used and disclosed for marketing and fundraising purposes; and prohibits the sale of an individual’s health information without their permission.
- Guidelines for mHealth Design and Development under HIPAA — These guidelines require that mobile applications and devices that work with personally identifiable health information ("mHealth" apps and devices) must comply with HIPAA. Note that non-personally identifiable health information, such as steps taken and distance covered, are excluded from the HIPAA requirements.
- ARRA — The U.S. American Recovery and Reinvestment Act requires healthcare organizations to demonstrate meaningful use of an interoperable EHR system to qualify for subsidy payments.
- ACA — The Affordable Care Act delivered significant healthcare reform for the United States. But it also increases the amount of sensitive data that healthcare providers must securely store and properly transmit, such as the Social Security numbers of spouses and dependents for reporting to the IRS.
- UK Data Protection Act — This law requires healthcare institutions to collect only the data that is required for a specific purpose, not keep data for longer than necessary, and provide the data subject with access to their data upon request. Appropriate access controls must be maintained, and the data must not transferred into another legal jurisdiction without equivalent data security requirements. The National Health Service (NHS), Nursing & Midwifery Council (NMC), and British Medical Association (BMA) all supplement the UK Data Protection Act with specific professional standards expected of their members.
- GDPR — The EU’s new General Data Protection Regulation requires organizations anywhere in the world to protect the personally identifiable information of EU citizens. There are significant financial penalties for organizations that fail to adequately safeguard personal data, report breaches promptly, obtain proper consent for data collection and processing, or comply with other GDPR requirements.
- Australian Privacy Act — This law mandates various protections for health information and timely data breach notifications. The Medical Board of Australia and the Australian Medical Association both supplement this act with specific requirements for their members, such as ensuring a patient’s right to access their data and requiring their consent for its disclosure.
Despite all these regulations and guidelines intended to strengthen cybersecurity, more and more healthcare organizations are suffering breaches. For instance, one analysis found that the U.S. Health and Human Services database recorded 268 data breaches in 2015 but 328 in 2016 — a 22 percent increase. What’s more, those 328 breaches exposed the sensitive data on 16.6 million Americans. In my next blog, I’ll dive into the realities of the healthcare industry and trends in the threat landscape that help explain the continued high rate of breaches.
In the meantime, be sure to read our white paper, “Protecting Data in the Healthcare Industry,” to learn more about:
- The various regulations and requirements that healthcare firms must comply with
- The realities and trends that are increasing the risk for healthcare organizations
- How data breaches impact healthcare organizations
- Best practices for cyber security defenses