2014: A ‘Perfect Storm’ For Data Breaches

12-17-2013 7-37-49 PM

According to a recent Experian report, there are a number of changes expected to take effect in 2014 that could result in a landmark year for data breaches. Within the healthcare industry, the report goes so far as to call its view of 2014 a “perfect storm that could cause significant business disruption.” Analysts cite a number of converging trends as the source of the problem, which makes implementing preventative measures just that much more difficult a proposition.

The Cloud and Big Data

Big Data is running away with the hearts and minds of idealist health IT defenders and public health researchers. Even outsiders are pointing to big data as having the potential to be a major disruptor to the way modern medicine is practiced.

The problem with big data, from a security perspective, is that it’s essentially just a big database. This means it’s a big target. Cloud-based EHR vendors fall into the same bucket. Athenahealth, a cloud-based ambulatory EHR, boasts a centralized database containing 40 million patient records, and growing. As ARRA pushes more and more patient charts out onto servers, the result is a growing number of high-value databases containing millions of patient records.

Criminals can easily monetize a database of that size. According to a 2012 report, “A stolen medical identity has a $50 street value – whereas a stolen social security number, on the other hand, only sells for $1.” That math puts the street value of athena’s cloud-based database at $2 billion.

Even without selling the records, there is value in just gaining access to a databases of this size. Last year, Bloomberg covered the booming trend of criminals hacking into physician practice servers, then locking the doctors out and demanding a ransom payment before returning access to their patients medical records.

EHRs, HIEs, and the HIPAA Omnibus Rule

Health Insurance Exchanges are expected to add seven million newly insured patients by March of 2014. These newly insured will enter the system largely through notoriously vulnerable web-based portals like Healthcare.gov. 

Once insured, these new healthcare consumers will be seen by primary care physicians that are likely just now implementing EHR systems, and are unfamiliar with the requirements to effectively secure patient data. The report explains, “many doctors’ offices, clinics, and hospitals are not in the data management business and therefore do not have enough resources to safeguard their patients’ PHI.” Between the adoption of EHRs, and the push to ensure millions more through HIEs, analysts say healthcare is, by far, the most susceptible to large breaches in 2014. 

Analysts also expect, due largely to more stringent protocols introduced within the new HIPAA Omnibus Rule, that healthcare will face the highest fines for data breaches, and will see the highest levels of public backlash when events do occur.

Data Breach Fatigue

Experian predicts that as reporting requirements increase, not only in healthcare but across industries, media coverage will increase and apathy will set in. Consumers, Experian predict, will start to tune out of the data breach conversation.

Because consumers play such a key role in protecting their own PHI, apathy can have a direct impact on data security. Simply failing to reset passwords on compromised accounts can open systems up to additional data vulnerabilities. Failing to follow instructions within breach notifications, like taking advantage of credit monitoring services, creates an environment that is safer and more lucrative for criminals to operate. 

Conclusion

Experian’s data breach report has seen significant coverage from the media recently, despite an obvious conflict of interest in that the company partners with cyber-insurance brokers to provide breach response services and so has a financial stake in the market. The study claims that the cyber-insurance market was worth $1.3 billion in 2013, but that this figure is expected to climb to $2 billion in 2014, on 50 percent growth predictions. It goes on to explain that “Cyber insurance will start to become a must-have for companies.” Most of the arguments made read like an attempt by Experian to goose the cyber-insurance market, rather than prevent a potential data breach.

With or without cyber-insurance, its an undeniable fact that hospitals and practices are being asked to implement new systems at a pace faster than most are comfortable with. The result is that healthcare entities are being asked to secure more data than they’ve ever had to. They’re being asked to support a wider array of end users accessing the network on a broader spectrum of devices and, they’re being asked to transmit that information to a wider body of third-party entities than they’ve had too in the past. In this new environment, data breaches will almost certainly happen more frequently.


Enjoy HIStalk Connect? Sign up for update alerts, or follow us at @HIStalkConnect.

↑ Back to top

Founding Sponsors

Platinum Sponsors