The transition into the era of electronic health records and health wearables has resulted in a plethora of electronic patient information including dates of birth, home addresses, social security records, insurance details and medical data. This data is highly desirable on the black market. But there are ways to prevent the risk for fraud.
I recently spoke to Brian Kalis, managing director of digital health at Accenture, to learn more.
Just how big is the problem?
Accenture recently released a report, The revenue risk of healthcare provider cyber security inaction. It reveals that in 2014, nearly 1.6 million people had their medical information stolen from healthcare providers, according to the U.S. Department of Health and Human Services Office for Civil Rights. Accenture predicts that more than 25 million people—or approximately one in 13 patients—will have their medical and/or personal information stolen from their healthcare provider’s digitized records between 2015 and 2019
Kalis explained that what most healthcare providers don’t recognize is that as a result of cyber attacks on medical information, many patients will suffer personal financial loss. In contrast to credit card identity theft, victims of medical identity theft often have no automatic right to recover their losses.
According to the Ponemon Institute, these financial losses may take several forms. Not fully understanding their medical bills, some victims have unwittingly paid bills run up by others. Some have had to reimburse their insurers for healthcare services obtained fraudulently. Many have incurred substantial legal costs as they have sought to unravel the cyber crimes perpetuated against them. In fact, 65 percent of victims of medical identity theft pay out-of-pocket (OOP) costs at an average of \$13,500 per victim.
It further shows that healthcare providers are at risk of losing \$305 billion in cumulative lifetime patient revenue over the next five years due to patients switching providers because of medical identity theft. Almost half of patients said they would find a different provider if they were informed that their medical records were stolen.\
What the blackhats are seeking
According to Kalis:
"Research has shown that there are multiple sources. overwhelming majority is coming from nation states and organized criminal groups, primarily because the value of medical records are greater than traditional identities on the black market, up to ten times the value of traditional credit/identity info. However there is also a high volume of employee internal responses such as the loss of laptops and usb drives, things that can be avoided through better risk management and compliance measures".
When you think healthcare data, the data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information, all of which can be utilised to create fake identification to buy medical equipment and drugs that can be resold or to lodge fraudulent Medicare claims This is compounded by delays as data breaches and medical identify theft is not always immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Is "digital trust" an answer?
Kalis and many others place great credence in the notion of "digital trust," a combination of cybersecurity, privacy and “data ethics.” It extends beyond the notion of data security to an ethical viewpoint about "the handling, control and providence of data. about making sure data is accurate and handled effectively. Digital ethics expands data security beyond pure safety to the decisions and actions you take to ensure that you are using that information responsibly for the people you serve as a steward of that information."
According the Accenture report:
"Apple's efforts to be transparent in how it uses and secures customer data is testimony to the value this leading brand places on trust. Its new platforms, such as Apple Pay and HealthKit, are clear beneficiaries of this trusted-by-design approach because the strong security and ethics that are 'baked in' give customers confidence that their digital footprints are secure and private, easing the transition to and adoption of the Apple ecosystem. This underscores the role trust plays as digitally powered companies look to disrupt their own markets and enter new ones."
Kalis also notes that:
"What we’re seeing is the raising of security up to the board level, executive level response, so a lot of the ways of protecting it start with the leadership and overall aspect of making security of data a priority and then extend this philosophy to all the employees in practice. Then companies can move into more advanced ways of protecting the information internally, whether through using advanced analytics to detect both internal threats or misuses of information or external threats coming in."
Blockchain could also be health data's savior
Kalis also believes the blockchain can be part of the solution, as it shifts the model from centralized control to decentralized power that's ultimately controlled by the individual. He cities the example of Estonia where blockchain technology is utilized to secure over a million healthcare records.
Ultimately the issue of data theft and health care fraud is complex and challenging. There's not a simple solution. It requires consumer understanding of the need to secure their health data. Healthcare companies to employ advanced data analytics and top-down cultural change from the healthcare professions to preempt data breaches and the legal system to provide appropriate detection and prosecution. As both IoT technology and criminals move quickly, the challenge will be to see if the security professionals and judicial system can keep up.