Register now for the Arizona Geriatrics Society (AzGS) Summer Geriatrics Interprofessional Conference on Friday, August 8th at the High Country Conference Center in Flagstaff. The theme of this year’s Summer Conference is "Palliative Care: State of the Art & Art of the State."
The keynote speakers are two local experts in palliative care – Amberly Molosky, CHPCA, Director of Palliative Care at Banner Health and Stacie Pinderhughes, MD, Banner Good Samaritan Medical Center.
The health world is flirting with disaster, say the experts who monitor crime in cyberspace. A hack that exposes the medical and financial records of tens of thousands of patients is coming, they say — it’s only a matter of when.
As health data become increasingly digital and the use of electronic health records booms, thieves see patient records in a vulnerable healthcare system as attractive bait, according to experts interviewed by POLITICO. On the black market, a full identity profile contained in a single record can bring as much as $500.
The issue has yet to capture attention on Capitol Hill, which has been slow to act on cybersecurity legislation.
“What I think it’s going to lead to, if it hasn’t already, is an arms race between the criminal element and the people trying to protect health data,” said Robert Wah, president of the American Medical Association and chief medical officer at the health technology firm CSC. “I think the health data stewards are probably a little behind in the race. The criminal elements are incredibly sophisticated.”
The infamous Target breach occurred last year when hackers stole login information through the retailer’s heating and air system. Although experts aren’t sure what a major healthcare hack would look like, previous data breaches have resulted in identity and financial theft, and healthcare fraud.
While a stolen credit card or Social Security number fetches $1 or less on the black market, a person’s medical information can yield hundreds of times more, according to the World Privacy Forum.
The Identify Theft Resource Center — which has identified 353 breaches in 2014 across industries it tracks, says almost half occurred in the health sector. Criminal attacks on health data have doubled since 2000, according to the Ponemon Institute, an industry leader in data security.
Healthcare is the industry least-prepared for a cyber attack, according to security ratings firm BitSight Technologies. The industry had the highest volume of threats and the slowest response time, leading the FBI in April to issue a warning to healthcare providers.
The industry “is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the FBI stated.
Why Healthcare and Why Now?
The high value of health information makes it attractive to hackers.
A credit card can be cancelled within hours of its theft, but information in a patient’s health record is impossible to undo. The record contains financial records, personal information, medical history, family contacts — enough information to build a full identity.
A patient’s credit card information alone may be easier to hack from an unsuspecting hospital than from Target, Michael’s or Neiman Marcus, experts say.
“Criminal elements will go where the money is,” said Wah, who was the first deputy national coordinator in the Office of the National Coordinator for Health IT. “They’re seeking health records not because they’re curious about a celebrity’s blood type or medication lists or health problems. They’re seeking health records because they can do huge financial, fraudulent damage, more so than they can with a credit card number or Social Security number.”
Healthcare is the Johnny-come-lately to the digital world, trailing banks and retailers with decades of experience in cybersecurity. Most hospitals and doctors have gone from paper to electronic health records in the space of a few years while gobbling up $24 billion in federal incentive money paid out under the 2009 Health Information Technology for Economic and Clinical Health Act.
“Frankly, healthcare organizations are struggling to keep up with this,” said information security expert Ernie Hood, of the The Advisory Board Company.
“It’s not that they aren’t trying,” said Dennis Seymour, chief security architect at IT security consultant Ellumen. “It’s just that they don’t do the best job implementing it.”
Other health security experts say hospitals’ response to cybersecurity issues has been lackluster, with providers still focused on privacy and confidentiality rather than data terrorists.
Security takes money and expertise to implement and isn’t a glamorous job, since success is measured by something not happening. The health system is still in the process of developing and vetting best practices.
This year’s annual security assessment by the Health Information Management Systems Society showed that about half of surveyed health systems reported spending 3 percent or less of their IT budgets on security. Some 54 percent of the 283 IT security professionals surveyed had tested a data breach response plan, and slightly more than half of hospitals had an IT leader in charge of securing patient data.
Health facilities pay their security staffs less than any other industry, said Stephen Boyer, co-founder of BitSight. “This may be the case of you get what you pay for,” he said.
One in 10 Have Had Info Breached
Nearly 1.84 million people have been victims of medical identity theft, according to a Ponemon report released last year, including 313,000 victims in 2013 — a 19 percent jump over the previous year.
Thieves steal health insurance information to gain medical care for themselves or others. Increasingly, people with fake health ID cards show up for care at emergency departments or use stolen identities to secure prescription drugs, which they resell, according to a white paper from the Medical Identity Fraud Alliance.
An Army reservist who left his insurance card at home while he served in Iraq had it “borrowed” by his uninsured brother, who used it to pay for thousands in coverage after a car accident. An elderly man who lost his insurance card discovered it had been stolen after he received care at an emergency room where he learned that someone else’s allergy to penicillin was on his chart.
The out-of-pocket costs incurred by victims of medical identity theft averages more than $18,000, according to the Ponemon report. A recent HIMSS security survey showed that 12 percent of healthcare organizations have had at least one case of medical identity theft reported by a patient. Many thefts go unreported and even undiscovered.
Since the Department of Health and Human Services began tracking the numbers in 2009, more than 31.6 million individuals — roughly one in 10 people in the U.S. — have had their medical records exposed through some sort of hack, theft or unauthorized disclosure. These may not represent the most serious attacks, according to experts at EY, formerly Ernst and Young.
“Threats are far more sophisticated than the breach reporting, which is kind of a trailing indicator,” said Reza Chapman, senior manager of EY’s Healthcare Advisory practice. “Some organizations have a little more of a sophisticated threat problem that they may not frankly be aware of.”
It’s difficult to know how stolen information is being used. “Nobody really ever knows unless you reach out to those individuals to see if they were affected,” said Seymour of Ellumen.
How the Hill is Responding
On Capitol Hill, health industry cybersecurity gets lumped in with the retail, financial and other sectors, says House Intelligence Committee Mike Rogers, and the difference between security and privacy becomes obscured.
“Hospitals are not spending a lot of time trying to make that information secure,” Rogers said in an interview. “They’re trying to make sure there isn’t a disclosure, which is absolutely appropriate, but that’s not the same thing that someone on the outside, a hacker, can get in there and steal that information and use it for nefarious purposes.”
Hospitals must proactively set standards for cybersecurity, rather than simply following government privacy rules, which were written in a different time, says Kathy Downing of the American Health Information Management Association.
For more than three years, Rogers has been championing the Cyber Intelligence Sharing and Protection Act, which would encourage the government and industry to share cybersecurity information and best practices. The House has twice passed it, but the issue has been slow to gain traction in the Senate.
Earlier this month, the Senate Homeland Security and Governmental Affairs Committee approved some companion legislation.
HHS, meanwhile, is stepping up with more aggressive enforcement of security breaches. Its Office of Civil Rights, which investigates privacy violations, has levied $10 million in fines in the past year. Last month, it fined New York Presbyterian Hospital and Columbia University Medical Center a combined $4.8 million for disclosing the personal health information of 6,800 individuals, including patient status, vital signs, medications and laboratory results.
There has yet to be a massive breach of health information that has captured the public’s attention like last year’s involving retail industry Target. But the AMA’s Wah thinks it’s just a matter of time.
“I believe that we’re not talking about if there’s going to be a big data breach in healthcare, it’s going to be how many and when,” Wah said. “Because there already are a tremendous number of data breaches that are occurring in healthcare today.”
The Centers for Medicare & Medicaid Services (CMS) today announced proposed changes to the Medicare home health prospective payment system (HH PPS) for calendar year (CY) 2015 that would foster greater efficiency, flexibility, payment accuracy, and improved quality.
Health Choice, the managed care solutions division of IASIS Healthcare, has signed an agreement with the Northern Arizona Regional Behavioral Health Authority (NARBHA) to form a joint venture called Health Choice Integrated Care to pursue new opportunities to deliver integrated behavioral and physical healthcare services in Northern Arizona.
This collaboration between Health Choice and NARBHA is being pursued in response to the State of Arizona's announcement, as part of the Arizona Health Care Cost Containment System’s (AHCCCS) strategic
Are you a PQRS eligible professional participating in claims-based reporting this year? Effective July 1, 2014, you will have to use the updated Remittance Advice Remark Codes (RARCs) for PQRS claims-based reporting that went into effect on April 1, 2014.
By April Dembosky, published in Kaiser Health News
Hospitals across the country are struggling to deal with a shortage of one of their essential medical supplies. Manufacturers are rationing saline - a product used all over the hospital to clean wounds, mix medications and treat dehydration.
The New York University (NYU) Langone Medical Center is now using a novel technology that serves as a "flight simulator" for neurosurgeons, allowing them to rehearse complicated brain surgeries before making an actual incision on a patient.
The new simulator, called the Surgical Rehearsal Platform (SRP), creates an individualized walk-through for neurosurgeons based on 3D imaging taken from the patient’s CT and MRI scans.