Why Healthcare Should Copy Banking Industry’s Response to Cybercrime
The healthcare industry should respond to patient privacy breaches the same way the credit card and banking industries react when security incidents occur in those industries, one writer suggests.
In a U.S. News and World Report op-ed, Brookings Institute fellow Niam Yaraghi notes that when a credit card is breached “all affected consumers are notified, their old credit cards are frozen and new ones are issued. The process is so quick and efficient that consumers often face considerably less harm from a credit card data breach, especially because many credit card issuers now provide fraud liability coverage to their consumers and insure them against fraudulent charges.”
The banks and credit companies act efficiently and effectively because they understand a) how common these incidents are, and are well-prepared to act quickly and b) they know precisely how thieves plan to use the stolen information.
In contrast, when a health data breach is detected providers and other covered entities generally conduct the mandatory reporting and offer victims identity protection services. Yaraghi argues that attacks on health data are more damaging because the industry is less certain about how they happen and how the stolen data will be used and monetized.
“In many cases, hackers aren’t really after health care data; they want patients’ credit card information, which due to poor information technology practices, is stored on the same network as many patients’ health records,” Yaraghi writes. “Hacking the financial part of the data also opens the door to medical data. In other cases, hackers want the medical data of one or a few individuals. As soon as a celebrity is admitted to a hospital, the hacking attacks on the specific hospital skyrocket.”
Another part of the problem, he says, is that there’s a lack of consensus over how much stolen medical data is worth on the black market. Expert estimates put the worth of one record between $1 and $500.
To help limit the frequency and consequences of data breaches, Yaraghi proposes independent researchers and institutes study the ways in which a breach impacts victims. This can help authorities better understand how stolen data is used. He also encourages the Federal Bureau of Investigation and the Department of Health and Human Services’ inspector general to do similar data gathering work.