Jon Wilkinson, privacy officer, IBM Watson Health
Jon Wilkinson, privacy officer, IBM Watson Health

Credit card theft? Old news...How about medical identity theft?

No, I'm not downplaying the severity of credit card theft. But medical records can be much more valuable – approximately 10 times more valuable, according to one notable survey – and the implications for victims severe. Stolen medical IDs can be used to file false claims for reimbursement, to obtain treatment, or to obtain narcotics such as prescription painkillers. 

Electronic medical records have created incredible new opportunities for patient care, but have made medical data far more accessible to hackers. The challenge in protecting medical data has been compounded by the increasing number of entities handling electronic medical information – health care providers, medical device manufacturers, insurance companies, medical payment processors, cloud service providers, and more.

The implications for victims of medical identity can be severe. In one instance, a mother of four was arrested and faced a child custody action after her stolen medical information was used by a woman who gave birth to a child who tested positive for illegal narcotics.  More typically, victims of medical record thefts face loss of insurance coverage, medical collections and high costs associated with remediation. 

In addition, and perhaps more frightening, medical identity theft has created a new risk to patients when a stolen record is used for treatment, because the treatment history of a thief can end up as a part of the original record-holder's history, with life threatening consequences. A discrepancy as simple as an incorrect blood type can be deadly. 

Given the value of medical records, it's not surprising that medical providers have increasingly become the source of sophisticated cyberattacks. Unfortunately, most health care institutions have limited budgets for data security programs and personnel to battle attackers. The result is asymmetric cyberwarfare at its worst. Losses associated with medical breaches can be extraordinarily high; in addition to response and assistance to victims, stiff fines and severe public backlash are almost certain results.

Fortunately, threat intelligence offers an opportunity to reduce the asymmetry and all entities that hold health data should integrate threat intelligence into their IT security programs. As well, security professionals employed by health care providers, particularly smaller providers that don't have enormous IT budgets, should take several important steps.

First, research threat intelligence solutions in the marketplace and find service providers that integrate strong threat intelligence into their products. 

Second, find similar organizations that have strong security programs in place, and share threat intelligence and vendor information with your IT counterparts at those organizations.

Third, look to regulators and other authorities for assistance and guidance. While most health care organizations don't think to reach out to regulators, like the Department of Health and Human Services (HHS), there can be great benefits in doing so. In fact, HHS is offering both guidance and grants for improved threat intelligence solutions.

We can expect that the attacks on medical providers will continue to increase. But threat intelligence gives health care security professionals an important weapon to fight back.