New technologies, legislation, mandates, regulations, deadlines, financial incentives and management models and entities have all swept through the businesses of patient care and health insurance in a relatively few short years. Left in the wake is a fragile, if not wobbly structure responsible for processing, exchanging and protecting increasingly massive amounts of personal information – financial as well as medical.
No wonder the healthcare industry has become a target-of-choice for the world’s cyber criminals and organized syndicates. The Identity Theft Resource Center said that nearly half of the 353 criminal attacks it tracked so far in 2014 occurred in the healthcare sector.
While a credit card or social security number is worth a dollar or two on the Internet black market, a complete medical profile can fetch upwards of $500. Perpetrating Insurance and prescription drug fraud lead the wish list for those in the market for stolen patient information.
A study done for ID Experts by the Ponemon Institute reports that criminal attacks on the healthcare industry have doubled in the past four years. And the average cost a healthcare organization absorbs is approximately $2 million over two years; the good news is (not really) that the cost has dropped slightly compared to prior years.
The industry isn’t prepared for this. It has focused attention on instituting the measures necessary to ensure HIPAA compliance. While data privacy and confidentiality are essential, a healthcare provider can be HIPAA compliant and able to fend off OCR fines, but still not be secure from cyber terrorism. Healthcare systems spend three percent or less of IT budgets on security, according to the annual assessment done by Health Information Systems Society. Health institutions are also notoriously parsimonious compared to other industries when it comes to IT and security wages.
Furthermore, the Affordable Care Act and the rise of organizations such as Health Information Exchanges (HIEs) and Accountable Care Organizations (ACOs) to help manage it all has not only increased the number of potential targets. It has brought in millions of new ePHI records, as well.
In other words, easier targets and lots of them.
“The healthcare industry is constantly under the microscope. Healthcare information security is closely watched by numerous government agencies, industry regulators, and consumers. This is no surprise, given the direct and personal involvement of healthcare providers in peoples’ lives, the complexity of the issues, and the billions of dollars that flow through providers and affiliated businesses,” said David Kidd, Peak 10 director of quality and compliance. “The security and compliance challenges can be overwhelming. Choosing business partners that understand these challenges and can deliver true value to alleviate the burden is its own challenge. Peak 10 has accepted and embraced this as one of our core competencies.”
As businesses worldwide have come to understand that relief can be found in cloud computing, so has the healthcare industry. Despite the fact that many in healthcare profess little confidence in cloud computing, the magnitude of their security, compliance, budget, skills acquisition and data storage challenges are compelling them to find alternative solutions.
The ID Experts-sponsored study found that despite the perceived risk, 40 percent of organizations reported they are heavy cloud users, primarily for data storage and back up, business applications, file- and document sharing, and collaboration. That is eight percent higher than last year.
Those involved with patient care are well advised to proceed with caution when evaluating and choosing a cloud service provider (CSP). This is a rapidly evolving industry with a large number of business models, offerings and service levels, as well as a range of professional capabilities. However, a blanket indictment of the entire CSP industry as a security threat is unfounded and needlessly undervalues the quality services and solutions to be found there.
With cloud storage and back-up being primary use cases for healthcare providers, Peak 10 has prepared a guide to assist with vetting and choosing a CSP with the infrastructure, systems and skills that are essential to properly service healthcare-industry requirements and provide continuing guidance. It’s clear that the demands placed upon healthcare providers and administrators will not relent. Having capable business partners that can share the load and help make room to attend to other pressing business issues will be a strategic and operational necessity…if they’re not already.