Article Preview
TopIntroduction
Digital version of electronic health data improved the quality of care due to easier follow-ups, lowering cost of patient care, enabling data track over time, and making more precise medical decisions. Three types of health records are defined: (i) Electronic Medical Records (EMRs) refer to digital version of paper-based clinical data. The clinical data, gathered by clinicians, include information that enables the clinicians to make better medical decisions; (ii) Electronic Health Records (EHRs) provide a more comprehensive view of the patient’s overall well-being. It contains information collected by all clinicians engaged in the patient’s healthcare. Therefore, information in EHRs can be shared among all involved providers; and (iii) Personal Health Records (PHRs) are EHRs that are controlled and accessed by the patients (EHR, 2019).
As healthcare application becomes more and more evidence-based, storing health data is becoming more important. Weak health data protection may lead to identity theft, obtaining medical care at the expense of others, ordering expensive drugs for resale, and fraudulent insurance claims (Data, 2013). Moreover, healthcare data hacks may threaten patient’s health due to the change of patient’s medical history. For example, if health records do not contain a correct listing of allergies, the patient could suffer serious consequences or death due to wrong prescription (Smith et al., 2010).
Compare to banks and financial institutions, patients’ data has less protection. Banks are mostly equipped with two-factor authentication while healthcare applications are not. Two-factor authentication is an extra protection which includes not only username and password, but also some unique information that only the user has, such as a physical token. Furthermore, unlike bank accounts that can be locked and changed for protection, it is completely impossible to get back the compromised and disclosed health data (Oliynyk, 2016; 2FA, 2019).
In 2017, Emory Healthcare’s appointment system was hacked compromising almost 80,000 patients PHI data such as names, birthdates, internal medical record and appointment information. The appointment information was unencrypted, which opened the door for hackers to obtain plain text information. According to a report (Emory, 2017), this incident is the largest breach in 2017 in the US. The HIPAA Meaningful Usage act requires that any data security breaches affecting 500 or more patients be reported to public through US Health and Human Service Office for Civil Rights' Breach Portal and the affected healthcare provider must take appropriate steps within a certain time limit, otherwise, faces further penalties. Thus, PHI leakage not only brings reputation problem for healthcare providers, but also affects patient’s privacy and well-being.
The prevalence of healthcare data security breach can be observed both inside and outside USA. According to 2016 Data Breach Investigations Report (DBIR), there were 115 cases of data breach in North America during 2015. It included 32% privilege misuse, 22% miscellaneous errors, 19% stolen assets, 7% point of sale, 3% cyber-espionage, 3% crimeware, 3% web applications, and 11% other incidents. Healthcare is among the top industries vulnerable to physical theft and loss, miscellaneous errors, insider and privilege misuse, and others. Physical theft and loss is any occurrence where information or a device containing information is missing. Miscellaneous errors occur when accidental actions weaken a security attribute. Insider threats and privilege misuses refer to all unapproved or malicious use (Data Breach Report, 2016).
According to Verizon survey report, some of the reported healthcare data breaches in 2015 were as follows: In February, Anthem, a Blue Cross health insurance member-company, reported a data breach where 80 million patients were affected. In March, Premera, another Blue Cross member, reported a data breach affecting 11 million patients. In both cases, ThreatConnect (2019) announced that Chinese threat Actor “Deep Panda” was probably the attacker. Partners HealthCare, CareFirst Blue Cross and Blue Shield, MetroHealth and Bellvue Hospital reported breaches in April of 2015. In June of the same year, US Office of Personnel Management (OPM) reported mega-breaches for health insurance. The US Department of Health and Human Services reported a breach in August 2015 (Data Breach Report, 2016).