Breaches happen everyday to every company on the Internet (whether they know it or not). Today the cyber criminals are going after healthcare records yet the populace isn’t demanding more protection. Why is that? The average person doesn’t understand the damage their health records can cause them because most equate a healthcare record breach to their credit card or bank information getting stolen.
When the financial information is lost and used there’s an immediate realized effect. Money. Victims are losing money, on the hook to pay more money and their credit scores are impacted right away. That’s scary to lose money for anyone. It happens all the time and if you haven’t experienced a credit card being used fraudulently shop online long enough and you will.
If and when your financials get stolen there’s a clear path to resolution, if you are on top of things. You can call the banks, cancel the cards, have credit monitoring turned on, and more services to protect your financial footprint come available everyday. Today a misused credit card has been controlled down to an inconvenience with little to no long term risk to the victim, if they catch it in time. Healthcare records are in a different class, a far worse class of potential damage, yet the industry and world aren’t pushing for massive security overhauls in the medical systems like credit cards.
Here’s a healthcare record as an example. An insurance processing firm gets all your information from the hospital or clinic you were at. Most likely your entire history is transmitted. Your name, address, phone, medicare number, clinic account number, insurance number, your health information with diagnostic codes, conditions, medications you are on and so on.
One day you see in the paper that firm you know is processing your claim is breached. So what? You have identity protection so you will be alerted if a new credit card is attempted to be opened, your bank has monitoring on your accounts and there’s nothing in there they can use. Right?
What the criminals are doing is not using that information for identity theft. Not initially anyway. Your healthcare record is a profile of a medical state. There are others willing to pay, big bucks, to get profiles similar to their own to gain access to healthcare they normally can’t or wouldn’t. Either because of fraud, they need anonymity, not a citizen, doctor shopping, pharmaceutical supply through legit channels and all under your name.
Unlike the financial side that is ‘regulated’ by the credit agencies, all whom can see your open credit cards, loans, mortgages, etc… There is no comparison in the healthcare world. This is why doctor shopping is so rampant, there’s no central point. This makes a healthcare record the top money-maker in the cyber underworld.
One record is about $360, each!
Once it’s stolen, it’s out there forever. You can’t call a clinic and re-issue you a new profile, it’s yours. There’s no protection now to lock your health profile from being used anywhere because there’s no central system to block it. This may not seem that big of a deal, so what if someone uses my info to get some pills or treatment, how’s that impacting me?
Maybe it won’t today. But stories are coming out of people who are going in for lifesaving kidney surgery only to have the hospital have on record you had your kidney removed two years ago. Your high blood pressure medication is declined because the systems say you already maxed out your re-fills. You are hauled away for Medicare fraud because there is no identity proofing to using health information in the Medicare clinic with 3 employees. This is the true danger. Life or death and it may not be realized for years down the road when you have forgotten about a breach in the news and need that surgery to hold your grandchildren tomorrow.
Why there is no urgency to lock the healthcare security systems down I have no idea. There’s HIPAA (Health Insurance Portability and Accountability Act) but that is only as good as the enforcement behind it and it’s not as prevalent as it needs to be. HIPAA is also dated and needs an update badly. Medical professionals are experts on medicine, not security.
The next time you are for a doctor visit watch to see how they login to the computers they use, if they leave the screens open, use a card to access the application. See what information they gather and what they print and leave laying around in files. When you watch that your concern level rises. Every now and then you will fill out their updated Privacy forms, but don’t be fooled. Privacy is not security. You can be private and insecure.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.