California regulators are looking for ways to enhance oversight of medical records and healthcare data security in light of a growing problem they’re calling "medical identity theft."
Security experts distinguish medical identity theft from general identity theft, defining medical ID theft as "when someone uses an individual’s name and personal identity to fraudulently receive medical services, prescription drugs or goods, including attempts to commit fraudulent billing."
Healthcare data breaches usually include hundreds, if not thousands, of patients records per incident, and cybersecurity experts have claimed that stolen patient records may garner as much as $50 apiece on the black market.
The issue draws more attention to recent government efforts to clamp down on medical device cybersecurity, particularly for devices that operate on unsecured networks and which access or transmit sensitive patient information.
Just last month the FDA ordered medical device makers to remain “vigilant” about cybersecurity risks and mitigation efforts, noting that "cybersecurity incidents are increasingly likely."
"Failure to maintain cybersecurity can result in compromised device functionality, loss of data availability or integrity, or exposure of other connected devices or networks to security threats," according to the FDA. "These, in turn, have the potential to result in patient illness, injury, or death."
Healthcare was the 3rd most-breached industry in California in 2013, according to a Data Breach Report for 2012, published earlier this month. Healthcare made up 15% of all breaches, falling behind the retail and finance/insurance industries. Health information was also the 3rd most-common type of information that was breached, following behind Social Security numbers and payment card information.
Hacking and data leaks have become something of a ubiquitous problem among healthcare organizations, with 94% of groups surveyed by the Ponemon Institute reporting that they’d suffered a data breach in the past 2 years, mostly through lost or stolen devices or through employee errors.
In a separate survey conducted in the fall of 2012, 8% of the healthcare CIOs, IT directors and other leaders said their organizations had been targeted by malicious hackers in the past 12 months.
Nary a week seems to go by without a hospital or clinic warnings its patients that their personal data may have been compromised, and the flurry of attention has even created a surge of demand for healthcare “breach insurance” to help pay for potential settlements and penalties.
Although there have been no reports of patient injury as a result of malicious hacking of medical devices, viruses and malware have already caused trouble in hospital-based machines and security researchers are making noise about the weak security protocols in medical technologies.