Skip to content Skip to navigation

Healthcare Data Security Needs its "Leather Bustier" Moment

November 12, 2013
| Reprints

A while back there was a series of clever, funny commercials from Citibank about the dangers of identity theft. In the commercial, you’d get an actor in a typecast setting with a completely different voiceover talking about everything they’ve bought with the person on the screen’s stolen information. There was a computer geek talking over a lady in a salon, a wannabe actress talking over a guy in a gym, a biker talking over an old lady cleaning out a pool, and my personal favorite:

The Leather Bustier girl talking over the couch potato. It’s engrained in my head any time I think about identity theft.

The idea was that identity theft was a very serious problem, especially on the internet, and having a credit card from Citi would allow you to live a worry-free life of consumption. Obviously, that last part is up for debate, but I think these popular commercials were important.

They came at a time when the idea of identity theft, specifically on the internet through the use of credit cards, was only beginning to emerge as a serious problem. In the five-year span from 2005 to 2010, credit-card data theft increased by 50 percent, per the U.S. Department of Justice. As silly as they were, I truly believe for average consumers, those commercials helped bring the problem to light. Eventually, security methods with credit cards on the web became more diligent and commonplace

Today, identity theft is still a growing problem and there are more portals in which cybercriminals can steal your identity. For the purposes of this audience, the one I care about is through unauthorized access of someone’s protected health information (PHI).

There have been times when I’ve gotten on my soapbox, which is this blog, and preached about the importance of protecting patient data. If you are familiar with Healthcare Informatics’ resident data security guru, Mac McMillan, you’ve probably read similar pleas, here or elsewhere.

Unfortunately, healthcare industry data security is a growing threat that few providers are willing to invest resources in, to “nip it in the bud.” Recently, I went through a list of data breaches in 2013 from the Identity Theft Resource Center, a non-profit firm that provides assistance to identity theft victims, and was shocked at how many were from healthcare. But you don’t even have to click on the above link or check out other studies that understand this issue, all you need is to sign up for a “Google News Alert” for the words “healthcare data breach.” You’ll see what I’m talking about.

Why is this so? This was a question I asked for my recent feature in the November/December issue of HCI. Here was one answer I got:

“Hospitals have a lot of competing priorities. There are a lot of health IT changes and demands in recent years. There has been the big movement towards meaningful use of electronic health records. Lots of time and resources have been spent on that. They’re switching ICD-10. All these initiatives are going on, and it’s very easy to push security down and de-prioritize it.”  - Jared Rhoads, a senior research specialist with the Falls Church, Va.-based CSC’s Global Institute for Emerging Healthcare Practices.  

Another problem is return on investment (ROI). Healthcare data security doesn't truly affect the bottom line until it does, if you get what I’m saying. Here’s what McMillan brilliantly said in my feature:

“We look at other systems, and we say, ‘If we buy this bed tracking system, we’re able to funnel 13 more people through the system and accrue this much more revenue from an operational efficiency perspective.’ Look at security the same way, in terms of what is the cost of an outage or a data breach, and what this technology will do for ROI. We have to do a better job of understanding how these technologies fit into our businesses and contribute to the top and bottom lines.”

This is all true, and what Rhoads or McMillan or any security expert will tell you is that despite the struggle for resources and revenue, you can’t be reactive with protecting patient information, you have to be proactive. The problems with PHI security are only going to expound, they say, as more data is digitized and as cybercriminals become even more sophisticated and aware of the gold mine that healthcare records offer.

These increasing cyber threats will mean more instances of identity theft.  According to an annual survey released by the Traverse City, Mich.-based, Ponemon Institute LLC, medical identity theft was up in 2013, 20 percent compared to the year, affecting an estimated 1.84 victims and having a total out-of-pocket medical costs incurred by medical identity theft victims of $12.3 billion.  Like I said, that number will just go higher.