This is the first in a series of two posts. This post is an overview of today’s healthcare threat landscape, the second is on what those responsible for safeguarding Protected Health Information can do to respond.
The healthcare industry is built on trust between patients and care providers, trust that as a patient we can share the most sensitive information about ourselves in order to receive the best care possible. Already, as patients we share personal, family, financial and historical medical information with our care provider, and very soon we will be asked to share genome-level information about ourselves in order to get the best care possible. In essence, care providers and those who handle patient information hold the very essence of our identities, and increasingly there is great risk in how the industry handles “us”. The risks are escalating at a time when healthcare is consolidating with the intent of reducing expenses in areas that are not directly related to patient care, like information security and privacy. The impact shows in the statistics.
According to a report published on November 3rd, 2015 by the Identity Theft Resource Center, Healthcare accounted for 68 % of all records compromised across all industries in the United States in 2015. According to the report, 232 healthcare businesses had breaches impacting 119,959,229 patients. This means that year to date in 2015 well over one-third of all United States citizens have suffered an information breach through the healthcare industry. The implications are that information crimes involving patient information are not limited to a few metropolitan areas. When over one-third of the United States has had their information breached as a patient, clearly the crimes are prevalent and impact all of us living metro-rural, north-south, and east-west.
A recent article published in Healthcare IT News, reported that medical identity theft alone is up 22 % impacting 2 million patients and victims are seldom informed by their care provider or insurer of the breach. In the same Healthcare IT News article, the financial damage alone of a single medical identity theft case is estimated to be $ 13,000, and this is just a single aspect of patient damage. The raw numbers are staggering, the implications and damage to patient lives is unmeasurable. We visit our care providers to get well and trust that all involved will protect our identity, and our loved ones’ identities, but according to the statistics not only is our protected health information breached, we are not even informed afterward.
What happens when patients believe that risks of sharing far exceed the value of the care provided ? In a sense when the treatment is more dangerous than living with the condition. In survey after survey, we already see that patients commonly postpone care, travel long distances and withhold sensitive information over privacy concerns. Patients are concerned that data breaches will result in emotional turmoil, financial loss, reputation loss, professional setbacks and great time loss.
We are all in this together. Today’s escalated information security threats leave the entire healthcare industry vulnerable including patients, care institutions, physicians, clinicians and the vendors that serve the industry. The industry’s vulnerability is self evident in the headlines and statistics from credible sources. This is not an indictment of any given care provider, but the statistics reflect poorly on our industry, change will have to start with each of us.