A new study published in the journal Annals of Internal Medicine on September 24, 2019, draws attention to the serious implications of cybercrime in the area of health care records.
Image Credit: Jariryawat / Shutterstock
Researcher John (Xuefeng) Jiang shows that the health records of almost 170 million people over the country have been hacked in 1461 reported data breaches. These occurred over a period of ten years, from October 21, 2009, to July 1, 2019. In all these incidents, people lost one or more pieces of important personal data. And over 70 percent involve sensitive information that could lead to identity theft. It’s not just the number of patients involved; it’s the kind of information the criminals steal that is important.
The PHI security breaches were reported online by the Department of Health and Human Services (HHS), which must be notified every time a healthcare data breach occurs. Healthcare programs and providers must legally communicate whenever protected health information is accessed by unauthorized personnel. The HHS in turn must publicly report every case if over 500 people are involved.
Patterns of data theft
To identify the kinds of theft that are most common in the cyber healthcare domain, the researcher looked at a detailed breakdown of the data breaches published by HHS during this period. In all the reported hacks of protected health information (PHI), the hacker obtained personal data ranging from the name of the patient to the email address.
In over half of them (about 960 cases), 150 million people lost control of their driver’s license numbers, dates of birth and social security numbers. In more than 500 incidents, many millions of people found their financial information exposed to hackers. And in almost 190 cases, the criminals got access to the bank account and credit card details of almost 50 million people.
For 50 million patients, their medical records per se were exposed, giving others details of their diagnosis, treatment, and medications. This included very sensitive details such as addictions, HIV status, sexual transmitted infections (STIs), cancer, and mental illness, in 2.4 million patient records covering 22 cases of cybercrime.
What we can do
Despite the breach of private medical information, Jiang doesn’t think there’s much gain from getting access to this kind of data, which is hard to sell at a profit. Instead, personal identifiers, credit card numbers and other data that can be sold to fuel identity theft are bigger targets. Thus the balance between data access and data security must be carefully calculated; to make it easier to retrieve patient data, you shouldn’t compromise on the security barriers. And if you can’t apply sophisticated protection to everything, throw your money at the sensitive personal and financial information rather than on purely medical information. This is the most important way to make it harder and less rewarding to hack PHI.
Jiang says, “The main message for hospitals and health care providers is, if you have limited resources to safeguard information, you should put more emphasis on the sensitive kinds of information that can be sold on the dark web.” And for patients, he advises, don’t bother about how many records were broken into, but look at what was stolen.
Other experts in biostatistics concur, but say that they still wouldn’t want any private information to pass through anyone’s hands except those of the authorized personnel. Secondly, they are arguing over the best way to keep data out of reach. It could be a server; it could be on the cloud. Of course, cloud storage is handled by bigger companies, with greater potential for massive data breaches. But on the other hand, these companies can usually afford to invest in much better and more abundant tools to protect the information they store against hacking.
John (Xuefeng) Jiang, PhD; Ge Bai, PhD, CPA, Types of Information Compromised in Breaches of Protected Health Information. Ann Intern Med. [Epub ahead of print 24 September 2019] doi: 10.7326/M19-1759, https://annals.org/aim/article-abstract/2751916/types-information-compromised-breaches-protected-health-information