Although healthcare seems like a strange industry to be affected by cyber-attacks it is actually becoming one that is at high risk for exploitation. This fact is exemplified even further with the implementation of the ACA. If you're like most folks, you're probably asking yourself, "What are cyber-attacks and just how exactly does the ACA work?" Whether system attacks target a patient's Personally Identifiable Information (PII) or their physical health, it is extremely important that these systems are heavily protected.
Healthcare systems have become a serious target for cyber-attacks, primarily due to the vast amount of sensitive personal information that is recorded in medical files, including insurance information, and family and medical history. Access to such records can provide computer criminals with all of the vital private information that is necessary to successfully steal a person's identity and gain access to their financial resources such as bank statements, credit scores and insurance accounts.
What are the Risks? According to the Third Annual Survey on Medical Identity Theft that was conducted by the Ponemon Institute, it was estimated that 1.85 million Americans were affected by medical identity theft in 2012. The survey also estimated that the average cost per victim was $22,346 and the total economic impact in the U.S. was about $41.3 billion. These figures are based on a sample population and note that many people have been reluctant to report incidents of medical identity theft, so the actual impact is likely greater. The cyber attacks that are occurring present new risks to hospitals and healthcare providers. Most healthcare organizations already have security systems in place for maintaining protection of medical information, but they need to be constantly updated to combat changes in technology and to thwart the efforts of malicious hackers. The cyber security systems for these organizations must evolve at a faster rate than the skills and approaches of information thieves. For this reason, there is a growing need for innovative, ethical hackers in the healthcare industry.
Reasons for Medical Identity Theft: While malicious hackers can be motivated by the ease with which they can steal a person's entire identity through their medical information, most reasons for medical identity theft are attributed to the need to gain healthcare services. Below is a list of the common reasons why medical identity theft occurs:
- To obtain healthcare services or treatments (67%)
- To obtain medical equipment or prescription pharmaceuticals (61%)
- To obtain government benefits such as Medicare and Medicaid (53%)
- To bill the health plan, insurance company or government program (46%)
- To access and/or modify credit reports (23%)
- To access and/or modify medical records (20%)
How can the risks be minimized? By now it should be evident how easily PII can be compromised through online medical records and devices. It is also easy to see that with the prevalence of medical identity theft cases that it is necessary for healthcare organizations to establish strict policies for maintaining the privacy of patients and preventing cases of medical identity theft from occurring. To minimize risks, healthcare management should implement assessments of risk to determine the true extent of protective measures over confidential information. This can help to find weaknesses in a system that need to be addressed before any incidents can occur. It can also be used to determine the competence of the employees that are responsible for managing information security. These employees can help to minimize risks for the organization by implementing tools for encryption in all areas of private communication, such as e-mails and other collections of electronically stored medical information.
Security professionals should also make use of systems that detect security breaches and collect the relevant information to identify patterns as well as the identity of the information thieves. Although having such tactics in place is essential to the privacy of patients, it is also important to make sure the security systems are fluid enough so not to obstruct the actions of the healthcare employees who have to treat patients in urgent conditions. Overall, organizations will only be able to contest challenges such as this by hiring competent, IT professionals who can perform their cyber security tests on the system while not hindering the organization's imperative operations.