There was a time when the health care industry would learn that a hospital or health system-related data breach had occurred, and it would be considered an unfortunate anomaly. Health care C-suite executives might use the incident as an opportunity to inquire about their own existing safeguards and risk of cyber threats, but these instances were rare and always happened at someone else's hospital or facility.
Sadly, that time has passed. It is no longer a question of whether your hospital or health system will be breached, but of when and how bad the breach will be. In fact, a recent study, The State of Cybersecurity in Healthcare Organizations in 2016 1, found that health care organizations average nearly one cyberattack per month. Now, the critical question health care executives must be prepared to answer is from their patients: was my medical identity data breached?
Electronic Medical Records: Opportunities and Challenges
Tools, such as online patient portals and telemedicine offer fantastic opportunities for improving access to care and patient satisfaction levels, while reducing delivery costs. Yet, as hospitals and health systems institute electronic health records (EHRs), it is fair to say that the data contained within those records make the computer systems and networks that maintain them a desirable target for hackers and cyber criminals. The reason is simple: experts say a stolen medical record is valued at $60 to $70 dollars. There is a lot of money to be made from stolen medical records.
In fact, the Identity Theft Resource Center (ITRC) – a non-profit organization that provides support to identity theft victims – reported 277 medical/health care data breaches occurred in 2015, involving more than 112 million records. And, 2016 is off to a comparatively dismal start. As of this writing in May, the ITRC had reported 114 medical/health care data breaches, including nearly four million records, accounting for 34.6 percent of all records breached across five categories (banking/credit/financial, business, educational, government/military and medical/healthcare). Hospitals and health systems face the daunting challenge of combating a seemingly unstoppable and growing cyber threat to their patients' medical records.
Protecting Patient Data by Removing Sensitive Data and Improving Overall Data Quality
While security measures alone can't prevent data breaches with 100 percent certainty, one technique to protect patient identities is removing sensitive data altogether to decrease the risk footprint. Replacing Social Security numbers (SSNs) with a non-sensitive identifier renders the information stored in the medical identity less valuable to the criminal who steals it. LexisNexis Risk Solutions has developed a proprietary and patented method of linking and clustering records that links each record in an individual's data profile to a nationwide identifier called LexID®. Each LexID® corresponds to a single unique identity in the United States.
LexID® is more secure than a SSN because it is not created through some combination of traits associated with the identity, created in a patterned sequence or widely used as an identifier to validate identities in transactions across many industries. The SSN is as ubiquitous of an identifier as available, and this makes it inherently less secure. Fraudsters simply can't present a LexID® and expect to open up a financially-oriented account.
Health care providers may perceive risk to their patient matching operations among internal systems or with information exchange partners if the SSN isn't present. As a nationwide attribute, LexID® can be used in lieu of the SSN to help ensure patient matching isn't degraded when SSNs are deleted from repositories. Where SSNs are used as all or a portion of a health insurance policy identifier, the SSNs may not be able to be removed, and yet even in those cases, health care providers can reduce access to and utilization of that subset of SSNs to a smaller and more highly monitored group of users. While LexID® is not a panacea, the ability to reduce a breach risk footprint has significant value and is another technique providers can use to thwart the growing threats of identity theft.
Reducing reliance on SSNs also magnifies the importance of capturing and maintaining solid patient identity attributes to ensure accurate patient matching. Techniques used at registration, like using identity verification applications to ensure accurate and complete data is captured and also to protect against fake identities, can help safeguard the downstream matching processes. Making sure that applications can store complete first, middle and last names and having automated methods to standardize the format of addresses can go a long way to helping matching algorithms work their best.
For hospitals and health systems that want to avoid the identity theft risks associated with storing more SSNs than absolutely necessary – and for those that want to improve their patient matching operations – LexID® and high quality identity attributes can help minimize risk and strengthen patient matching operations.
Conclusion
In addition to regulations like HIPAA that put in place certain safeguards for patient information, patients and their communities expect health care providers to safeguard their data. Because hackers and cyber criminals are successfully breaching hospitals and health systems to steal patient information, it is incumbent upon these organizations to rethink their approach to solving the cybersecurity problem. By replacing sensitive and valuable data like the SSN with a unique, nationwide identifier like LexID®, the value of the patient's remaining stored personally identifiable information is significantly reduced, even if stolen. Now is the time for hospitals and health systems to act by protecting patient data and reducing their risk footprint – before they are breached.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.