Health care industry leaders are calling for cybersecurity protections for patients, noting that more than 31 million medical records have been breached this year — a number that is steadily growing.
“It’s really important that providers and payers make sure their systems are secure, because this is incredibly valuable information,” said Jennifer Covich Bordenick, CEO of the eHealth Initiative and Foundation. “And there are a lot of bad actors who would use that information in ways that could harm patients or specific populations or the nation at large.”
Data breaches of health care records have increased since 2010, and are projected to reach a new high this year, said Robert Lord, co-founder and president of Protenus, a health care compliance analytics platform.
More than 31.6 million patient records have been compromised in 285 data breaches between January and June, Protenus found. That number is more than double the number of records exposed during all of 2018, when cyberattackers violated 14.2 million records, the HIPAA Journal reported last week.
Credentials stolen from the American Medical Collection Agency were found on a dark web marketplace after a breach this year. Months after the cyberattack, the agency discovered that its payment web page had been compromised.
While the number of AMCA records exposed is unknown, more than 20 million records were breached, including those of nearly 12 million patients at Quest Diagnostics and almost 8 million at LabCorp in Burlington, North Carolina, the New Jersey Law Journal reported.
Stolen health records can be used for insurance fraud, medical identity theft, medical blackmail, opening financial accounts, fraudulent billing and personal attacks.
“In comparison to sectors such as finance, data for the health field comes from a wider variety of sources, making this data more valuable to criminal organizations,” said John Riggi, senior adviser for cybersecurity and risk for the American Hospital Association. “Bad actors may seek to monetize medical records through lucrative fraud schemes — for instance, false billing.”
For every 300 individuals, there is one privacy violation of health records each month, according to Mr. Lord.
“As we’ve increasingly digitized medical records following the HITECH Act, then we’ve had more attacks over time,” he said.
“We have these incredibly sophisticated systems that are analyzing data in order to develop cures, but we’re not necessarily deploying some of those same artificial intelligence analytic systems to also protect that info,” he said. “So we kind of have this mismatch in how we’re using the data and how we’re protecting the data technologically.”
Ms. Covich Bordenick added that the growth and profitability of the biotech industry makes health data valuable, contributing to the continual climb in data breaches. She said investors in biotech and health tech startups need to think about the implications of cross-border investment and data sharing, noting numerous cases of cybersecurity attacks from China.
“Companies globally are involved in economic espionage. And companies that handle patient data are really at a particular greater risk,” she said. “They are taking this data. This is really a space race. Whoever has the most data wins.”
A reason why health data becomes vulnerable is because many people often hand over their information, Ms. Covich Bordenick said. For instance, patients might use third-party apps that are not obliged to follow privacy standards under the Health Insurance Portability and Accountability Act (HIPAA).
“What’s so amazing to me is that so much of this data that we’re trying to protect so carefully, we’re actually giving it away,” she said.
Patients can protect themselves from cyberattacks by understanding how and to whom they grant access to their medical records, reading consent agreements carefully and storing medical records in secure environments, Mr. Riggi said.
Ms. Covich Bordenick pointed out hospitals can do more to train their employees in cybersecurity, such as teaching staff about phishing — fraudulent emails that can give attackers access to private information.
Mr. Lord said health systems should have board-level accountability for cybersecurity and privacy, understand threats across their organizations and invest in privacy and security for patient safety.
The Washington Times Comment Policy
The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.