It will soon become obvious that your digital patient records are small gold mines for all sorts of unexpected people. Don’t worry, there is a way to protect yourself. While nothing is 100% safe, just as technology for compromising your data has become more sophisticated, so has the technology available to protect your data.
February 5, 2015 the Los Angeles Times reported on the hacking of Anthem Inc. It was reported that the data of 80 Million customers and employees was possibly at risk. At the time, Anthem was the 2nd largest health insurer in the country. This came on the heels of Home Depot being hacked.
Let’s talk about the internet “street value” of this hacked information.
The information Anthem reported losing included all of the above information. Based on 80 million users, this hack had a potential retail street value of $20 million to $200 million (assuming every record was sold).
This does not include any financial loss, personal costs and time for the people to resolve the issues. Still, we can feel some solace because most of the time, the money lost through credit card fraud is reimbursed by insurance or by the bank to the person affected.
Compare a stolen social security number with the value of a single digital Medicare or Medicaid health record. In an article by Reuters, the value of a medical record goes up times 10. The average retail value of a single digital medical record is reported at $500 (PBS report. Has health care hacking become an epidemic?).
A single doctor will see an average of 18 clients per day or 2160 patients per year. Those are the active patients in the clinic. In discussing patient sizes AAFP discussed the size of a good patient panel. (Patient Panel = the number of patients one doctor can manage.)
In their example, they chose about 2,000 active patients per doctor. Let’s forget that most medical clinics carry records for 3 inactive patients for every active patient. Let’s just say that there are 2,000 patient records per doctor. This means that for a clinic with 3 doctors, that would round to 6,000 patients for a small clinic. If each record is worth $500 then this is a retail street value of 3.5 million dollars. For the hacker, the records for 6 small clinics is worth as much as the minimum potential street value for the Anthem hack in 2015.
Obviously, the bigger targets are more difficult to hack than the smaller targets. (Especially when those clinics are hoping to be ignored.) For a $3.5 million pay off, small clinics are suddenly a much bigger and easier financial target for hackers.
Is this happening or is it just theory?
According to an article in Computerworld, June 27 2016, this is exactly what has happened. Instead of 6,000 patient records from 1 clinic a single hacker stole 655,000 patient records from 3 healthcare organizations. This information was “allegedly” sold on “TheRealDeal” online market place. The wholesale price for the entire database may have been discounted to about $250,000 dollars. That of course assumes that the records were only sold once.
If you are a medical organization, this is a pretty scary situation.
The marketplace is target rich with clinics that are not following the rules and not keeping their records safe. The key for medical records owners is to get ahead of the industry. (Which isn’t too difficult today.) Using that extra time, to get their house in order. There is no way to be 100% safe, but there are some technologies available to give you an edge and make you a harder target. For instance:
What this means is that while no system is perfect, it will make it much more difficult to hack. This encourages hackers to go after weaker companies first, before they come after you. There is a saying in the hacking world though.
“There are two type of organizations out there. First there are the organizations that know they can and/or may have been hacked. 2nd, there are those organizations that don’t think they’ve been hacked, but already have been. “
In other words, it’s not a question of if they come after you, but rather when they come after you. Unfortunately, it may have already happened, you just don’t know it yet.
Now that you know the true value and risk associated with your patient’s medical records. I hope you can see that even a small clinic can’t assume they are under the radar. Each clinics patient database is just too valuable.
For more information, we can share a report on these and other tools that you can use to protect and secure your systems. Contact us for a list or even a demo.
About the Author