Originally published October 15, 2019 by Will Maddox at D CEO Healthcare
As the healthcare company lurches into embracing cloud-based technology, protecting medical data has become even more essential. While banks and other financial organizations have long been data security experts, the healthcare field has been a bit slower to protect its data, which can often be more valuable than credit cards and bank account numbers.
Experts say the value of a social security number is worth 10 cents on the black market, with credit cards going for 25 cents. Medical identify theft of secure medical records, which often include both of those numbers plus much more information, is even more lucrative.
“Medical information is a lot richer,” says ClearDATA Founder and Chief Privacy and Security Officer Chris Bowen, who says the medical record is 50 times more valuable than a credit card number. “It is not just the credit card. You can build entire human persona around a health record. You can create or seek medical treatment, abuse drugs, or get prescriptions. The life span is so much longer than a credit card.”
But there are major challenges to a secure transition to the cloud for healthcare systems. Banks may spend 15-20 percent of its budget on IT, while a hospital may only spend 5 percent. With high salaries and patient care taking the focus, there often isn’t enough money to go around.
In addition, a single hospital may be home to hundreds of different systems for payment, electronic medical records, staffing, and areas. This makes protecting the data even more complex.
Texas-based ClearDATA partners with healthcare companies to help them protect their data, supplying infrastructure services and compliance support to make sure data is protected under HIPAA guidelines and safe from outside threats. ClearDATA has been working with North Texas’ HCFS, which assists hospitals to recover costs by finding resources for self-pay patients and improving efficiencies and revenue maximization.
HCFS deals with sensitive payment and patient information, which needs protection. The company stores data in its system, and ClearDATA helps manage and track the data, adding additional security. ClearDATA adds a level of security to cloud-based technology like Google or Azure, which have their own security features. ClearDATA monitors the cloud, helps protect and encrypts the data when it is sent.
“We are monitoring existing security as well as adding levels of security,” says ClearDATA’s Advisor & Former Chief Strategy Officer Scott Whyte.
Stakes are high both for the provider and the patient whose data needs to be kept secure. Medical data can have credit card information, but even if it doesn’t, it often has information that thieves need to cross reference stolen financial information, such as addresses, birthdates, or family members. There is also a potential blackmail situation, as some might not want their medical diagnosis made public.
Human error is often the culprit, says Bowen. Whether it is opening a suspicious email or clicking a link they shouldn’t employees often unknowingly invite threats to data into the hospital. Up to 62 percent of threats come from email disclosures alone. “We need to figure out ways to prevent humans from making mistakes,” he says.
Other risky behaviors include attaching unencrypted data to emails where it can be intercepted, employees who steal and sell data, or who use it maliciously on their way out of the company.
If more than 500 records are compromised, the breach has to be reported to the federal health and human services office of civil rights, where Whyte says there is a literal wall of shame with negligent organizations. “There is terrible brand damage that can be done, and private suits that can be followed. Leadership are fired or step down,” he says.
Though some companies are stepping up their data security game, HCFS Vice President of Information Technology Brett Floyd knows the medical community may be a vulnerable one. “The medical space has been lagged behind in that,” he says. “You would be amazed at how many really old systems are still running.”
In addition to brand damage, patients’ health can be negatively impacted by data breaches. “If the system is shut down, there can be legitimate and life threatening interruptions to patient,” Floyd says.