The street value of health information is 50 times greater than that of other data types. Even worse, the healthcare industry is among the weakest at protecting such information. With organized criminals trying to steal medical IDs, sloppy mistakes becoming more commonplace, mobile devices serving as single sign-on gateways to records and even bioterrorism now a factor, healthcare is ripe for some a wake-up call – one that just might come in the form a damaging "data spill."
Government Health IT Editor Tom Sullivan spoke with Larry Ponemon, chairman and founder of the Ponemon Institute, and Rick Kam, president of ID Experts (pictured below), which sponsored Ponemon's second annual Benchmark Study on Patient Privacy and Data Security. He asked about that data spill assertion, why healthcare lags other industries in privacy and security, and how the $6.5 billion spent on responding to data breaches could be better invested.
Q: The study finds that breaches are up 26 percent. Are things as bad as they seem to be?
Larry Ponemon: Data loss and data breaches happen all the time. And one of the possible reasons for increase in frequency for the data breach events can be due to the fact that organizations are more cognizant of it and are mandated by law to report it. In other words, it’s the old adage, 'If a tree falls in the middle of the forest and we don’t hear it, did it actually fall?' Well, organizations have a heightened sense of awareness, hopefully, about these laws and therefore the frequency is increasing because of that.
There is a second more nefarious possibility that data loss occurs because there’s just more criminal enterprise around data theft. And there’s evidence that, not just in healthcare, but generally that number seems to be on the increase as well.
So it’s a combination of factors, but the results of our research on a matched sample basis suggest that number certainly isn’t going down. Instead of getting better, it seems to be on the increase.
Q: What, specifically, are those factors?
Rick Kam: One of the interesting things within privacy circles is growing concern about the strategic nature of the data. For example the TRICARE information that was breached, there’s concern about the data including the vaccination and health information of our fighting forces being released or perhaps picked up by a nation-state like China or North Korea or others that would look at a bioterrorism strategy against our country in some respect. It might seem a little out there in terms of concern, but just as there’s nefarious for criminal or financial gain, there’s also nefarious for other types of issues where health information can be very useful.
Q: So, an enemy could potentially find out weaknesses in terms of vaccinations, and deduce the best way to attack our troops?
RK: Exactly. To use a bioterrorism agent that weakens the fighting forces of the U.S., knowing what they are vaccinated against and what they are not would be an important detail.
Q: Beyond the military, is the healthcare industry at large vulnerable to some sort of big data heist?
RK: Like when BP had their massive oil spill, there’s the potential for something like this to occur in the data security/privacy within healthcare – which would be a wake-up call for the industry. To put this into context, healthcare information compared to financial data or even oil is something that cannot be put back in the box. You can get a new Social Security number or a new credit card from a financial or identity theft. If you have an issue with the theft from TJX or one of those types of situations or even Sony with the email addresses and account numbers, but losing even a handful of hundreds of pieces of patient data that might surround a stigmatized illness or some variation on that theme, that information cannot be put back into the box. Once it’s out there, it’s out there forever. There are a couple of issues around that. One is that the information is worth 50 times what Social Security numbers are worth based on some of the things I’ve seen in various pieces of research, some of which Larry has done. So a Social Security number is worth, say, $1 on the street while a health insurance number and/or health information is worth $50 on the street, which points to the value of that information for other uses, whether it’s getting access to prescription drugs illegally, or health services.
So I do think there’s going to be a giant data spill of health information and that might be tens of thousands or even millions of records that create that impact. Since you’re Government Health IT, I love this example: Imagine if the health information of the U.S. Congress was compromised ... or of the GOP candidates … or some variation on that theme.