The federal government is pushing doctors, clinics, and hospitals to embrace electronic medical records (EMRs), also known as electronic health records (EHRs). There are many benefits to going digital, but these benefits may be overshadowed by the threat of hackers.
Hackers are increasingly targeting this vast treasure trove of medical information and selling it on the black market. They are also using it to illegally obtain prescription drugs or medical equipment.
And unlike the financial industry, many organizations in the healthcare arena are ill-equipped to handle hacking attacks. The healthcare industry is also unprepared to prevent your medical information from being accidentally lost or disclosed.
According to a report by the Ponemon Institute, 1.84 million Americans were victims of medical identity theft in 2013. About two-thirds of these breaches resulted in no costs to the victims, but the rest paid an average of $18,000 each. The report estimated that medical identity theft costs victims in the United States $12.3 billion a year.
“There’s every reason for folks to be concerned about how their health records are being handled,” said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation. “The healthcare industry has suffered a lot of breaches the last few years, and many of them are quite large.”
According to the U.S. Department of Health and Human Services, since 2009, healthcare organizations have reported 116,000 breaches of health information involving fewer than 500 people. During that time there have also been 980 reports involving 500 or more people. Combined, these breaches affected 31.3 million people.
One particularly large breach last April and June involved Community Health Systems. The company runs more than 200 hospitals.
During the cyberattack, hackers stole the “nonmedical patient identification data” of approximately 4.5 million people.
Smaller breaches are not rare for healthcare companies. According to a 2014 report by the SANS Institute, 94 percent of medical institutions have reported cyberattacks.
A report by The Ponemon Institute showed that 90 percent of healthcare organizations have experienced at least one data breach in the past two years. Thirty-eight percent have had more than five incidents.
These sobering trends are only expected to continue over the next year, as more doctors, clinics, and hospitals move to EMRs.
The prediction is that 2015 will be the year of healthcare breaches, James Christiansen, vice president of information risk management at cybersecurity firm Accuvant, told Healthline. “This is a significant increase in the threats to the healthcare ecosystem,” he said.
Electronic Medical Data Is Easy to Steal
The push to digitize personal health records has only made it easier for hackers to scoop up large amounts of data. Data can be accidentally exposed, such as when an employee loses a laptop containing patient information.
“In the past, to gain access to my healthcare records you needed to break into my doctor’s office and rummage through the vast number of patient files to find my file,” said Christiansen. “Now, from the comfort of the couch, an attacker anywhere in the world can hack into a system to gain access to an electronic healthcare record.”
The healthcare industry has two main shortcomings that draw in hackers seeking to turn medical information into a quick buck.
First, many healthcare organizations are ill equipped to fend off attacks. Their priorities, employee talent, and funding are funneled toward what they are best known for — keeping people healthy.
“Compared to the financial industry, which has spent decades building electronic protection around their sensitive data, the healthcare industry is hard pressed to establish equivalent security programs,” said Christiansen.
Hospitals and medical offices are often weighed down by older computer systems. Many of these systems are missing key security updates designed to prevent the types of medical data breaches that have security experts concerned. On top of that, the data may not be encrypted, or protected in the strongest fashion.
“It certainly depends on the setting. It might be one thing to get something from a very large insurance company,” said Tien. “On the other hand, if you talk about a hospital that’s transitioning into EHRs, there are a lot of places where the system can be vulnerable.”
It’s not just the computer systems in your doctor’s office that are at risk. Healthcare organizations have many entry points for a hacker seeking to tap into their systems. Printers, video conferencing systems, call center software, and devices like networked X-ray machines all offer entry points.
“The healthcare ecosystem is very complex as your healthcare record transverses the various providers,” said Christiansen. “So the pure number of places and forms your healthcare record is stored makes it more susceptible to a hacker or a non-malicious insider that accidentally discloses your healthcare records.”
Medical Data More Valuable Than Credit Card Data
Electronic medical data is not only easier to access than financial information, it’s also more valuable to those who obtain it illegally.
“The kind of data that will be obtained when you have something like an EHR breach can be more valuable than other kinds of data,” said Tien.
Once hackers have captured this data, it can be used to turn a profit in any number of ways. It can also be sold to uninsured people who will use it to obtain low-cost prescription drugs or medical equipment. Then uninsured could also file false insurance claims using a patient identification number combined with a fake provider number.
The going rate for stolen health credentials is up to ten times the value of stolen credit card information.
But unlike stolen credit cards, which can be easily canceled and fraudulent purchases more quickly detected, once your personal medical information is stolen it’s difficult to put the genie back in the bottle.
Many people are not even aware that their medical information has been stolen. It can take years until a collections agency goes after them for the cost of medical services that they never received.
Another danger is that your personal medical record may no longer be accurate. This can be potentially life-threatening if key information like blood type and drug allergies are altered in your record.
How to Protect Yourself from Medical Identity Theft
“The whole issue for consumers is so difficult because at the end of the day there is very little you can do about it,” said Tien.
If a retail store plays fast and loose with your financial data, you have the option of not shopping there any more. This isn’t always possible with your doctor’s office or hospital.
Much of the burden for reducing medical identity theft lies with hospitals and other healthcare organizations. To prevent cyberattacks, these organizations need to invest more money and employee talent in shoring up the walls around their electronic data.
Beyond asking your doctor about the security of the EMR used in your clinic, the best bet for protecting yourself involves staying alert for possible misuse of your medical information. This depends, in part, on the healthcare organization notifying you if they detect a breach. Currently, some laws are in place to encourage this.
“A large number of states have some kind of data breach notification requirement,” said Tien “There will either be a media report about the entity and/or a notification from the entity that suffered the breach telling you that your data may have been compromised.”
In most cases, you will learn the name of the organization that suffered a cyberattack, but you may not always know which of your information was taken.
If your information is stolen, there are steps you can take to minimize the damage.
- “Review your medical records and Explanation of Benefits frequently for anomalies,” said Christiansen.
- Look for billing errors and signs of prescriptions or tests that you never had.
- To assist in identifying bogus charges, request copies of your medical records from your doctor or hospital.
- If you notice any problems, alert your healthcare provider and insurance company.
- Keep an eye on your credit report, because unpaid medical bills can affect your credit rating, even if they resulted from someone else using your medical information.