Health care industry at risk of serious privacy issues
March 12, 2014

In the past several months, retailers and banks have been in the headlines for major instances of data exposure and theft stemming from breach. While financial data is certainly sensitive, especially routing and account numbers, medical information might be the most dangerous when lost or placed into the wrong hands. Sensationalism aside, there have been instances of medical identity theft that led to serious complications for the victims at the point of care. 

Health care data is so dangerous because it often contains adequate details to steal an identity, much like what would be the case with exposed banking information, but can also lead to individuals taking on the persona of the victim while seeking medical assistance. This could lead to the victim having incorrect information in their medical history, thus complicating the treatment received by a misinformed physician. 

Medical organizations must work to prevent data breaches and identity theft in a proactive fashion, as trying to fight back after information has already been exposed can be nearly impossible. By taking a well-informed and comprehensive approach to access management and using the most advanced multi-factor authentication solutions on the market, health care providers can protect themselves and their patients from these disastrous events. 

New study reveals risk
Forbes recently reported that a new study from the SANS Institute, a leading researcher and certification organization in the IT security industry, revealed there were nearly 50,000 unique malicious events that targeted health care organizations between Sept. 2012 and Oct. 2013. This staggering number, combined with the 723 unique malicious Source IP addresses, translated to compromise 375 American medical organizations. 

According to the source, health care clearinghouses, pharmaceutical firms, health plans and business associates were targeted among the least, while nearly three-quarters of medical organizations attacked were health care providers. American firms have to comply with the Health Information Portability and Accountability Act of 1996, as well as the Health Information Technology for Economic and Clinical Health Act of 2009, which have specific requirements related to system and data security. 

However, simply obliging regulatory compliance requirements does not minimize risk of breach, and medical organizations are urged to go far beyond the call of duty to protect their patients. Forbes noted that a separate study conducted by the Ponemon Institute found that 15 percent of medical identity theft victims surveyed experienced a misdiagnosis as the result of inaccurate electronic medical records. 

A combined 24 percent of the respondents either experienced a mistreatment or received the wrong prescriptions.

Refinement critical for safety
Michael Ollove, writing for HealthcareITNews, recently explained that medical identity theft was found by an Identity Theft Resource Center survey to comprise 43 percent of all events in the United States last year. Additionally, the source noted that the U.S. Department of Health and Human Services estimated that anywhere between roughly 28 million and 67.7 million Americans have had their medical records compromised since 2009. 

"Medical identity theft is a growing and dangerous crime that leaves its victims with little to no recourse for recovery," Pam Dixon, executive director of World Privacy Forum, explained, according to the news provider. "Victims often experience financial repercussions and worse yet, they frequently discover erroneous information has been added to their personal medical files due to the thief's activities."

Between BYOD, electronic medical records and a wide range of other new technologies flooding the health care sector, organizations that handle these systems and data must become more vigilant with privacy protection and identity management. With stronger encryption protocols, the use of multi-factor authentication for access and other solutions, medical organizations can become more resilient to breach.