A new Government Accountability Office report shows that concern is warranted, now more than ever.
In 2015, 113 million electronic health records were breached, a major leap over the 12.5 million the year before. In 2009, the number was less than 135,000. The number of reported hacks and breaches affecting records of at least 500 individuals rose from none in 2009 to 56 last year, almost double from 2014.
“The magnitude of the threat against health care information has grown exponentially,” GAO said, citing a 2015 study by the KPMG accounting firm.
Electronic health records are not just convenient. They also provide a cost-efficient, valuable service in our fragmented health-care system. Modern technology allows different providers, say a primary care doc and a specialist, to share information about the same patient.
Without that, care can suffer and health-care spending can grow unnecessarily.
“Lack of care coordination can lead to inappropriate or duplicative tests and procedures that can increase health risks to patients and poorer patient outcomes,” GAO said. It previously reported that fragmentation can increase health care costs by $148 billion to $226 billion per year.
But electronic health records come with a cost. As cyberthieves become bolder, more creative and more successful, the risks to our personal information increases. That includes everything from Social Security numbers to medical conditions.
Health care is considered so important to that it has been declared part of the nation’s critical infrastructure. Critical infrastructure, GAO explained, is “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on the national public health or safety, nation’s security, or national economic security.”
While the health-care system certainly is not incapacitated, the data on cyber-breaches show it has been hit hard. Cyber incidents highlighted by the report include:
- Anthem, Inc., part of the Blue Cross and Blue Shield Association, said in January 2015 that hackers took personal information for about 79 million people, including “names, dates of birth, Social Security numbers, health care ID numbers, home addresses, e-mail addresses, and employment information such as income data.”
- That same month, Premera Blue Cross, working primarily in Alaska and Washington, discovered that cyber attackers had gained unauthorized access to its IT systems. The initial attack occurred in May 2014 and hit 11 million records of patients, including “names, addresses, e-mail addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, medical claims information, and bank account information.”
- In July 2014, Community Health Services said hackers took records, including Social Security numbers, patient names, birth dates, addresses and telephone numbers, belonging to 4.5 million people.
- The University of California at Los Angeles (UCLA), reported in May 2015 that cyberthieves stole loads of data, including “personally identifiable information (PII) such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information.”
Cyberattacks on health records are increasing because they are valuable for use or sale.
“Criminals are aware that obtaining complete health records are often more useful than isolated financial information, such as credit information,” GAO said. “Electronic health records often contain extensive amounts of information about an individual.”
Sen. Lamar Alexander (R-Tenn.), chairman of the Senate Health, Education, Labor, and Pensions Committee, said the Department of Health and Human Services (HHS), “whose job it is to make our personal medical records secure, has work to do. Its guidance is hard to follow, it has no benchmarks so there’s no way to measure the effectiveness of its oversight, it doesn’t communicate with other federal agencies who may be unknowingly giving taxpayer dollars to companies with security problems, and it provides irrelevant technical advice.”
Sen. Patty Murray (Wash.), the top Democrat on the committee, said Congress should “make sure that HHS has the resources and support it needs to implement security tools that will protect personal information.”
GAO made five recommendations “to improve the effectiveness of HHS guidance and oversight of privacy and security for health information.” HHS said it agrees with and plans to implement three of them. It did not take a position on the other two, but said it would consider implementing them as well.
A word of caution. If you think you can trust everyone in a long white coat, consider this from the report: “insiders are consistently identified as the biggest threat.”