Authors: Jane Kim and David Zakson
Published: Spring, 2016
32 J. Marshall J. Info. Tech. & Privacy L. 133 (2016)
Today, cyber criminals recognize that a treasure trove of confiden- tial and protected information is found not within financial institutions but within the healthcare industry. In addition to financial information, medical institutions hold information on valuable IP, health records, and sensitive research.1 Health records sell for up to 20 times more than credit card information on the black market.2 A “full identity 'Kitz',” a complete medical record, coupled with health and financial information, can demand up to $1,300 per person.3 Cyber criminals salivate over such financial healthcare data rewards.
It is disconcerting that although “healthcare organizations manage a treasure trove of financially lucrative personal information [, they] [...] do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data.”4 The FBI has warned the healthcare industry that the “IT systems and medical de- vices [of healthcare providers] were at risk for increased attacks from hackers due to lax cyber security standards and practices.”5
And the statistics speak for themselves:
A recent study by the Ponemon Institute found that 91 percent of healthcare organizations have suffered at least one data breach in the past two years, 39 percent have experienced two to five data breaches, and 40 percent have suffered more than five. Still, the study found, half of all healthcare organizations have little or no confidence that they have the ability to detect all patient data loss or theft, and more than half don’t believe their incident response process has adequate funding and resources.6
According to one study, “data breaches could be costing the healthcare industry as much as $6 billion per year.”7 The likelihood of breaches reverberates throughout the healthcare industry which affects how patients receive care; over 10% of patients tend to withhold rele- vant medical information from their doctors for fear of it being re- disclosed to unauthorized persons.8
The healthcare industry can strengthen its data security through two avenues simultaneously: (a) a risk-based approach through NIST and Formal Security Frameworks, which set priorities based on the probability of exploitation and impact on business; and (b) a compliance-based approach to train, monitor, audit, remedy, and importantly, ensure that the responsible corporate officers are engaged and are not held individually responsible (turning a blind-eye is no longer an ac- ceptable excuse9) for breaches.
Therefore, Compliance Officers and other responsible corporate of- ficers need to be at least familiar with how data works and what it takes to protect it in order to make proper decisions in such regard. A responsible corporate officer cannot merely rely on cyber or data breach insurance to protect their entities’ wallets (not data) from data hacks on a rainy day.10
1. Christine R. Couvillon, It’s (Not) Academic: Cybersecurity Is a Must for Univer- sities and Academic Medical Centers, THE NATIONAL LAW REVIEW, (November 23, 2015), http://www.natlawreview.com/article/it-s-not-academic-cybersecurity-must-universities- and-academic-medical-centers#sthash.s9holOIJ.dpuf.
2. Caroline Humer and Jim Finkle, Your medical record is worth more to hackers than your credit card, REUTERS (September 24, 2014), http://www.reuters.com/article/us- cybersecurity-hospitals-idUSKCN0HJ21I20140924#c2IUK2WcQ5xypa3D.97.
3. Jeanine Skowronski, What your information is worth on the black market, BANKRATE, (July 27, 2015) http://www.bankrate.com/finance/credit/what-your-identity-is- worth-on-black-market.aspx#ixzz3tklgL6E6.
4. Jeff Goldman, 91 Percent of Healthcare Organizations Suffered Data Breaches in the Past Two Years, (May 12, 2015), http://www.esecurityplanet.com/network- security/91-percent-of-healthcare-organizations-suffered-data-breaches-in-the-past-two- years.html (hereinafter 91 Percent).
5. Gabriel Perna, After the Community Health Systems Incident, FBI Issues An- other Hacking Warning to Healthcare, HEALTHCARE INFORMATICS (August 25, 2014), http://www.healthcare-informatics.com/news-item/after-community-health-systems- incident-fbi-issues-another-hacking-warning-healthcare.
6. Jeff Goldman, Data Breach at UCLA Health Exposes 4.5 Million People's Per- sonal Information, (July 21, 2015), http://www.esecurityplanet.com/network-security/data- breach-at-ucla-health-exposes-4.5-million-peoples-personal-information.html (hereinafter Data Breach at UCLA).
91 Percent, supra note 4.
Sara Peters, 90% Of Industries, Not Just Healthcare, Have Disclosed PHI In Breaches (December 2015), http://www.darkreading.com/analytics/90--of-industries-not- just-healthcare-have-disclosed-phi-in-breaches/d/d-id/1323535.
9. See generally DEPARTMENT OF JUSTICE, MEMORANDUM FOR THE ASSISTANT ATTORNEY GENERAL, SALLY QUILLIAN YATES (Sept. 9, 2015).
10. Lena J. Weiner, Cybersecurity Insurance Basics for Healthcare Organizations, HEALTHLEADERS MEDIA (June 8, 2015), http://healthleadersmedia.com/content.cfm?content_id=317181&page=1&topic=TEC; Christine Marciano, How much does Cyber/Data Breach Insurance Cost?, DATA BREACH INSURANCE (Feb. 1, 2016), http://databreachinsurancequote.com/cyber-insurance/cyber- insurance-data-breach-insurance-premiums/.