Data breaches are so common to the health care industry that, except for those national in scope, they hardly merit mention in the news. It may be surprising to learn that almost 42.5 percent of all data breaches occur in the health care industry, and that 91 percent of all health care organizations have reported at least one breach within a recent two year period. Almost one in eight Americans has had their health records compromised. There is no secret as to why medical records are so often a target of thieves. Not only is there sensitive personal information that can be used to obtain financial benefits, but there is often enough data to secure highly valuable health benefits including Medicare, Medicaid or prescription drugs. Unlike a stolen credit card which is easily canceled, medical information is virtually permanent. Most of the health care industry is aware of the issue, so why isn’t more being done to secure such valuable information? There are multiple factors that compromise medical organizations’ efforts, but the overarching issue is cost. There is a remarkable patchwork of legacy IT systems found within most provider organizations, and developing a security system that can protect against every possible unauthorized entry is time consuming and expensive. In an effort to stretch limited resources, most organizations resort to a less than effective security system that meets minimum HIPAA standards. Cyber security is also complicated by a lack of standardization within the industry and, even, within organizations. Many hospitals are trapped in long term contracts with software vendors that may only provide infrastructure for a single department. Often these disparate data systems interface poorly with other departments and organizations. On top of this antiquated and porous architecture, more organizations are proliferating vulnerabilities by adding access through mobile devices as well as professional and user applications. New systems that utilize Big Data and informatics also add levels of sophistication that can be exploited by savvy criminals. This patchwork of old and non-integrated data systems contributes to a great deal of manual management. Instead of managing a streamlined, central operating system common to most other industries, health care data administrators must often attend to each departmental system individually. This can lead to lapses in protection that hackers can exploit. Finally, the amalgam of old and new systems also makes it more difficult to respond to a breach in progress. System administrators must often investigate individual applications and servers for hours to discover how the unauthorized entry occurred, which records were compromised and how to terminate the unauthorized presence. Most hospitals do not have the dedicated personnel on hand to respond appropriately to a cyber breach, allowing it to continue unchecked for an extended period of time. Without a qualified team of IT professionals, most medical organizations are open to a variety of cyber threats. A lack of experienced IT professionals to monitor data systems can often permit hackers to root through records for long periods of time before even recognition that a breach has occurred.
Article written by: Robert Moghim, M.D. – CEO, Moghim Medical Consulting, Inc.