If you think about it medical facilities can be thought of as a bank of your most personal data. Sure it contains your address, social security/national insurance information, age, billing and payment, but it also contains your blood type, diagnoses, prognoses, and prescribed medication. And, as we all know, banks are only as good as the vaults that they keep their valuables in. Some banks have state of the art systems that are almost impervious to breaches while others have a man named Steve sitting by the door to protect their belongings. Now this may come as a surprise, but healthcare facilities are no different.
“But I see nurses, doctors and staff typing away on keyboards all the time in hospitals, doesn’t this mean that all my data is secure?” You would think so, but the truth is that the systems of many hospitals, medical facilities, insurance and government agencies do not always have a secure link. This leaves the system open to multiple vectors of attack.
Imagine what a malicious digital criminal could do with the data entrusted in the systems of healthcare facilities. Insurance fraud leads the charge with false insurance claims made assumed under false identities. Next comes attacks made directly to patients who are preyed upon by fraudsters in hopes of extracting money from them under the guise of hospital bills. What if a fraudster holds your medical record for ransom and threatens to release it to your employer or to the public unless you pay them a huge sum of money? Then there’s the truly nefarious ploys that almost seem like they’re straight out of a science fiction novel. What if a criminal builds a biological weapon specifically targeted to your DNA or existing medical conditions, information that they purchased from a hacker that stole the information from your doctor or hospital? Seems farfetched, except that attacks on hospital servers have been recorded for this very purpose.
The issue is so crucial and important that the government of the United States has enacted both HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) to curb the mistreatment of patient’s digital information. In the UK we have the Data Protection Act (DPA 1998) in compliance with the Information Commissioners Office (ICO). These legal acts put the medical and healthcare facilities, along with insurance agencies and anyone else handling patient and customer information, in the crosshairs. If companies and agencies are not compliant with the terms and information safety protocols listed in these acts, they face steep and heavy fines from the government. In some extreme cases, imprisonment for negligence. In the US, several hospitals and medical facilities have already faced multi-million dollar losses and even bankruptcy as a result of non-compliance and breaches.
If your company or agency handles patient information in any way, it is best to err on the side of caution and brush up on your national and international legal data compliance. Make sure your company is compliant and your data is under the best guard and key that you can afford. Why take a risk by leaving it under the watchful of an average Joe (or in this case Steve), when there are several highly efficient security solutions for SME businesses available as well as IT Companies able to deliver the service.