Connecting state and local government leaders
Data breaches leading to medical billing fraud increase healthcare costs for governments, according to a new Verizon report.
Data breaches disclosing or exposing protected health information (PHI) aren’t only happening within the healthcare industry—10 percent occurring within the public sector, according to Verizon’s first-ever PHI Data Breach Report.
In fact, 90 percent of industries have experienced PHI breaches, 1,931 recorded since 1994 in Verizon’s Data Breach Investigations Report and the Vocabulary for Event Recording and Incident Sharing Community Database. And those 392 million disclosed records are just the ones reported by 25 countries.
Among the PHI data protected by state or federal laws like the Health Insurance Portability and Accountability Act (HIPAA): names, addresses, contact information, insurance and account numbers, beneficiaries, biometrics, photos, and medical records.
Many agencies don’t even realize they have particular PHI data stored away thanks to workers compensation claims, wellness programs and employee health insurance programs, but disclosure could have significant consequences for the safety and wellbeing of patients.
“The key stakeholders need to look at their information security initiatives and see what’s helping threat actors to be successful,” Bhavesh Chauhan, Verizon’s principal client partner for security solutions, told Route Fifty in an interview. “When you look at the data, if you look at breach and review what lessons were learned it would help focus how effective the controls in place are.”
The healthcare industry suffered the most breaches at 1,403, but the public sector came in second with 177 irrespective of agency size. Data loss is instead correlated with the type of information threat actors seek and where it’s processed.
Most threat actors are external, according to the report, though that doesn’t necessarily mean internal and partner actors disclose data maliciously.
And the biggest actions leading to breaches are physical, like credit card skimmers at a gas pump; human error, like an employee unintentionally losing a laptop; and misuse, like an employee with privileged access looking at the private records of a celebrity or politician.
Even when medical records are taken maliciously, they are generally only the means to obtaining personally identifiable information for other crimes, per the report:
“Detailed health records make it easier for criminals to engage in both identity theft and medical billing fraud—the former having direct impact on an individual or family, and the latter increasing healthcare costs for governments, organizations and individuals. Such private and potentially embarrassing (or worse) information can also be directly used against an individual, especially those in more sensitive positions.
The good news is threat detection is getting better with governments incentivizing healthcare providers to beef up security, fines for cyber crimes are increasing, and encrypting even a few portable assets reduces the risk of a breach because threat actors prefer easy targets.
That said, public and private healthcare providers must use electronic medical records to maintain federal reimbursement levels, so more medical history is digitally accessible than ever before in a time when large breaches, while rare, aren’t out of the question.
Half of the U.S. population has been impacted by data breaches since 2009, and the FBI warned healthcare providers in 2015 their industry was less secure against cyberattacks than the finance and retail sectors.
The true impact of breaches is hard to pinpoint because some patients have become less trusting of their doctors to protect their medical history, according to the report:
Recent studies have found that people are withholding information—sometimes critical information—from their healthcare providers because they are concerned that there could be a confidentiality breach of their records. This is not only a potential issue for the treatment of a specific patient; there are potential public health implications. An unwillingness to fully disclose information could delay a diagnosis of a communicable disease. This is especially true if the disease has an attached stigma.
“Impactful government leadership from a risk management perspective is needed,” Chauhan said. “It needs to focus where threat actors are focusings, which is an education process requiring awareness and transparency.”
Read the full report here.
Dave Nyczepir is a News Editor at Government Executive’s Route Fifty.