It’s a well known truism within much of the healthcare data security community that an individual healthcare record is worth more on the black market ($50, on average) than a U.S.-based credit card and personal identity with social security number combined. The Ponemon Institute even pegs the annual economic impact of medical identity theft at $30.9 billion. A question we hear often is: Why are health records such a lucrative criminal enterprise; and what goes into this high value? The short answer is twofold: lack of containment and options.
Healthcare records are difficult to contain, simply because they contain a lot of disparate data, and are held in myriad locations: back office applications of insurance providers, hospital archives, clinical laboratories; and increasingly, on smartphones and tablets. An individual can’t simply “cancel” a healthcare record the way they can a credit card. And this longevity may increase the value of the record, in much the same way, for example, the longevity of the battery in a hybrid car increases the cost of that battery – it has the promise of going further.
Healthcare records also provide options to the thieves who covet them. For instance, a thief can use a healthcare record to submit false medical claims (and thus obtain free medical care), purchase prescription medication, or resell the record on the black market. This veritable menu of options also increases the value of these records. A study in the Journal of Marketing Research indicated that consumers who have a wider array of choices are more engaged, and are willing to pay a premium for perceived higher quality.
These factors make healthcare data repositories a tempting target, whether they’re hospitals, billing offices, insurers, or even the backseat of a clinician’s car. Healthcare providers can stay one step ahead by conducting security risk assessments, as well as implementing mitigation measures such as IR (incident response) and forensics, and monitoring for any suspect activity within the walls of the healthcare provider. As a recent article in the Journal of Healthcare Information Management describes, using a basic approach that includes these measures can enable “healthcare organizations to focus their human capital and core resources on pursuing and managing innovation that furthers the mission of improving patient outcomes.”