It’s the day before Halloween, which means at some point this weekend I will probably tune into one of my all-time favorite horror movies such as Sleepy Hollow, The Conjuring, or any of the Michael Myers classics. But no matter which scary flick I choose, perhaps nothing will be scarier than something I saw recently on healthcare data security.
Here’s what I’m talking about: a report from Accenture found that healthcare providers could potentially lose $305 billion in patient revenue over the next five years due to the impact of cybersecurity attacks. According to a Ponemon Institute survey, cited by Accenture, almost half of patients said they would find a different provider if they were informed that their medical records were stolen.
"Taking into account the estimated lifetime economic value of a patient, Accenture analysis shows that healthcare providers are at risk of losing $305 billion in cumulative lifetime patient revenue over the next five years due to patients switching providers because of medical identity theft," the report states. "Applying this methodology to recent healthcare provider data breaches, Accenture estimates that each provider organization lost an average of $113 million of lifetime patient revenue for every data breach it suffered in 2014."
The report used data from the U.S. Department of Health and Human Services Office for Civil Rights which found that in 2014, nearly 1.6 million people had their medical information stolen from healthcare providers. As such, Accenture predicts that 25 million people—or approximately one in 13 patients—will have their medical and/or personal information stolen from their healthcare provider’s digitized records between 2015 and 2019.
The report also highlights the personal financial loss to patients in the event of medical identity theft. Sixty-five percent of victims of medical identity theft pay out-of-pocket costs at an average of $13,500 per victim, the report states, citing the Ponemon survey. And, 16 percent of impacted patients—more than 4 million people—will be victimized and pay out-of-pocket costs totaling almost $56 billion over the next five years, Accenture predicts.
Think about that for a second—1 in 13 patients and out-of-pocket costs totaling $56 billion! I know that you are probably tired of hearing about Health Insurance Portability and Accountability Act (HIPAA) breaches of all sizes and shapes, but these statistics are not pretty. We have certainly said this many times before, but the industry is currently in a reactive rather than proactive state when it comes to information security. The question is not if you will be attacked, but instead when?
So what can be done to stop the bleeding? Perhaps no one is more well-versed on this topic that Jodi Daniel, former director of the Office of Policy in the Office of the National Coordinator for Health Information Technology (ONC) and current partner in the Washington, D.C.-based Crowell & Moring LLP’s healthcare group. At ONC, Daniel addressed privacy and security issues to ensure that there was clear guidance on how the initial HIPAA rules applied to health IT. According to a statement from her new employer, “Jodi literally wrote the book—and all the rules—governing health information technology, including the complex HIPAA privacy and enforcement rules.”
Wanting to tap into her expertise on the matter, I recently interviewed Daniel and asked her if data protection is getting any better. She mentioned that one of the biggest challenges healthcare has is that the federal rules do not apply to all entities that have identifiable health information, but instead only covered entities. Indeed, covered entities are defined in the HIPAA rules as (1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Daniel said, “As we have different kinds of ways that people are getting healthcare services, as we see more direct-to-consumer tools and the like, it raises concerns about the protection of that information differently depending on who is holding that data. That’s a real gap that needs to be filled.”
She added, “On the security side, I think we will continue to see breaches as we have a lot of information in electronic format. It’s a matter of mitigating the risks, not eliminating risks. But we see this in every industry; it’s not unique to healthcare. The government does have an important role to play here in advancing security practices and standards. Individual organizations also need to be more diligent about identifying security risks and mitigating those risks in the best way so that we have limited harm in breaches or a reduction in the number of them.”
Daniel is right in that security breaches are not unique to healthcare, but that doesn’t mean that our industry isn’t the most vulnerable and the most affected. For one, some statistics reveal that organizations in the healthcare sector are experiencing double the average amount of internal security breaches, in comparison to all other industries.
Michael Ebert, leader in KPMG’s healthcare & life sciences cyber practice, talks about why this might be, following a recent survey that found that an astonishing 81 percent of healthcare executives say that their organizations have been compromised by at least one malware, botnet, or other cyber attack during the past two years. “The vulnerability of patient data at the nation’s health plans and approximately 5,000 hospitals is on the rise and healthcare executives are struggling to safeguard patient records,” said Ebert in statement about the survey. “Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed. A key goal for execs is to advance their institutions’ protection to create hurdles for hackers.”
Perhaps help is on the way, however. This week, the U.S. Senate passed legislation that will enable information-sharing to support cybersecurity, a move that the leading associations of CIOs and CISOs in the country have applauded. The legislation— the Cybersecurity Information Sharing Act of 2015 (CISA)—would give hospitals and health systems liability protection when sharing cyber threat information with the federal government with the aim of improving the nation’s detection, mitigation and response to cybersecurity threats.
The passing of CISA in the Senate as lauded by both the College of Healthcare Information Management Executives (CHIME) and the Healthcare Information and Management Systems Society (HIMSS). In a statement, CHIME said, “CISA will allow CIOs and CISOs to share threats and vulnerabilities through a secure national information-sharing infrastructure with the necessary liability protections in place and will not risk patient trust. As an important piece of the nation's critical infrastructure, it is vital that healthcare organizations have the tools and information they need to identify and more effectively defend against growing cyber threats.”
Opponents of CISA question its worth, believing it will move responsibility from private businesses to the government, thereby presenting a serious threat to consumer privacy. In particular, several big-name tech companies have already spoken out against it. Personally, I think the legislation will allow the government to better help organizations secure their information systems.
CISA alone will not cure the industry’s data security problems, but at the very least, awareness and insight should be gained. That being said, the onus is still on the organizations themselves to mitigate risk and better prepare themselves for potential threats. Until that happens, they could expect a lot more scare, and not just around Halloween time.
Comments or questions? Feel free to comment below or follow me follow me on Twitter @RajivLeventhal.