By Bryan Ansley, CEO of Secure Identity Systems
Health care identity theft is big business. While a credit card on the black market is worth 50 cents to a dollar, a health care record with a SSN can be worth anywhere between $20-$1,000. Did you know that 155 million personal records have been breached so far in 2015? And, that according to the Identity Theft Resource Center, 77 percent of these are health care industry breaches.
It would be an understatement to say that there’s a lot at stake with health care identity theft. The problem is massive.
- Anthem, 79 million impacted
- Premera Blue Cross, 11 million impacted
- Community Health Systems, 4.5 million impacted
- UCLA Health 4.5 million impacted
- CareFirst Blue Cross Blue Shield, 1.1 million impacted
Health care is the next fraud frontier. According to a TrendMicro report, from January 2005 to April 2015, health care was hit hardest by data breaches, accounting for 27 percent of breaches, followed by education (17 percent), government (16 percent) and retail (13 percent).
What’s currently been done about medical identity theft?
As a whole, the health care industry is not taking identity theft prevention seriously enough. The 2015 Health Care Industry Investments to Fight Medical Identity Fraud study found that detection systems lead technology spending over prevention and mitigation. Nearly half of respondents listed detection systems as half or more of their total IT budget, compared to just 23 percent indicating they allocated half or more of their budget to identity theft prevention systems. While there is a slight upward trend in spending by health care companies to detect, prevent and mitigate medical identity theft, fraud has decreased for only 4 percent of respondents.
The spending to fight the problem doesn’t add up to the cost of the problem. A Ponemon Institute report found that the number of medical identity theft victims who experience out-of-pocket costs rose significantly from 36 percent in 2013 to 65 percent in 2014. These victims faced more than $20 billion in costs in the last five years.
What can health care learn from the payments industry to stop identity theft?
First, health care companies need to stop relying on technology that does not fully protect its employees and patients from a cyber breach. For example, dual-factor authentication, tokenization, encrypted browsers, antivirus and anti-spyware cannot stop a keyboard level attack.
In 2014, key-logging malware made up 90 percent of all cyber attacks and 63 percent of all reported data loss. Key-loggers are inexpensive and effective. They can be embedded in emails, videos and music files, software downloads and even legitimate websites. With more than 12,000 key-loggers in distribution, the malware is successful in stealing keystrokes 98 percent of the time, and more than 93 percent of passwords worldwide were stolen due to key-loggers.
Keystroke encryption software encrypts data instantly at the point of origin, when an employee types on his or her keyboard. The technology protects everything from network remote access and online transactions to social media, personal and business information. It is imperative that future cyber security measures include encryption at the keyboard level as that is the only way to stop this form of attack. When heath care companies focus on the source of the biggest means of attack they will begin to see identity theft breach numbers drop.
Internal breaches are also particularly relevant in the health care industry. A recent TrendMicro report found that health care had a larger insider leak problem than any other business sector (17.5 percent of its breaches). In addition to keyboard encryption, the report suggests that medical employees should be required to use a smart card to physically access their workplaces and any secure areas as well as to log onto the network.
Where can the medical industry go from here?
While the medical industry currently has access to technology like keystroke encryption software to protect against identity theft, the industry faces steep challenges in protecting its electronic communications. This is in part because of the lack of technology investment dollars in prevention, and also because of the speed, resiliency and evasiveness of cyber criminals.
As the health care industry innovates its cyber security measures, its adversaries will also be innovating and quickening its hacks. As daunting as the challenge seems, sitting back and watching is not an option for health care organizations, and cyber and identity theft security needs to be a part of routine company discussions.
Bryan Ansley is CEO of Secure Identity Systems, which provides financial service companies with identity theft protection solutions. Connect with Ansley at BAnsley@SecureIdentitySystems.com or through Secure Identity Systems’ website.