The healthcare industry as a whole does a great job addressing the core issue of privacy. Clinicians and physicians alike have always fiercely protected their obligations to patient confidentiality. In the U.S., HIPAA provides additional strict enforcement.
But the immaturity of healthcare organizations’ cybersecurity can inadvertently create a significant privacy gap. Even with strict adherence to privacy policies, when healthcare organizations’ security falls short, their privacy provisions become inadequate by default.
The new rise of the individual market gives consumers a great deal of choice regarding their healthcare payers and providers. Consumer confidence in healthcare companies will increasingly be challenged by cybersecurity breaches and hacks.
The range of cybercrimes impacting healthcare globally continues to grow. For example, even if an institution takes efforts to separate from patient records the core data needed for cybercriminals to create false identities, the opportunity for theft of records to create blackmail opportunities remains. Clinicians in these instances are also at risk of criminal penalties for not protecting the privacy of records. When there is enough data to create an identity, cybercriminals can leverage this data to create identities and to gain fraudulent access to medical treatment, drugs or medical equipment.
There are also examples of cybercriminals stealing millions of records from providers and payers in the U.S. – primarily because the reward is so high. After all, while a stolen credit card is worth less than $1 on the black market, a stolen medical record can be worth as much as $40 or more.
The reason for the difference is simple. The banking and financial services firms have invested in cybersecurity technology and policies, which provides protection against misuse of stolen identities and card numbers. Further, there are relatively easy (although inconvenient) remedies to cybercrime in financial services – we can easily cancel our credit cards.
But in healthcare, it’s not so easy – there is no ability to “cancel a healthcare record.” Plus, when criminals steal personally identifiable information from health records it takes far longer to pinpoint the source.
The immature investments around cybersecurity make healthcare payers and providers susceptible to costly breaches and even more costly risks to the reputation, brand power and public confidence in those organizations. The costs start with fines, civil and criminal penalties, and continue to climb both in terms of the inconvenience of reconstructing records and the loss of confidence. Healthcare depends heavily on the trust of the patient / member with their healthcare organizations. If healthcare consumers cannot trust the security of the data stored by their healthcare payers and providers it doesn’t take long to destroy that bond.
Now is the time for healthcare payers and providers to take action with step-change investments in cybersecurity. Cybersecurity, like analytics, is not a back-office IT function. It is a fundamental frontline service that impacts everyone — from administrators and doctors to patients. Cybersecurity needs new policies and a new culture.