Are your medical records safe?  This might be one of the questions you ask your doctor the next time you go in for a checkup.  In the past several months, the security risks faced by hospitals and medical clinics has been brought to light with high profile cyber-attacks and the revelation that hospital equipment may be susceptible to attack.  It’s common knowledge that hackers are a constant threat to online security and privacy, but what happens when something such as patient records, which should only be seen by a very few select individuals, can be easily accessed by outsiders?

Medical Information is the Black Market Gold Mine

Earlier this month, Banner Health said that hackers gained unauthorized access to millions of patient, physician, and other records. One-fifth of the victims suffered a decrease in their credit score, and a third lost their health insurance completely

So why is this happening so much more often?

Between 2010 and 2013, nearly 950 data breaches of protected health information were reported, involving something around 29 million records. Medical information is 20 times more valuable than financial data on the black market, simply because it contains so much more personal information: clinical records, bank account numbers, social security numbers, and birth dates.

A recent survey found that of the 119 acute care facilities (hospitals and health care systems), and 31 non-acute care providers (doctor’s offices, mental health facilities, and outpatient care), 32 percent of acute care facilities, and 52 percent non-acute providers, do not encrypt data in transit, and 39 percent of acute-care facilities and 52 percent of non-acute facilities don’t encrypt data at rest.

Without encryption, your data is much more vulnerable to a number of online schemes. Unencrypted stored data is susceptible to breaches – if a computer, laptop, thumb drive, or backup were to be stolen, any person could access the information on that device quite easily. Without encryption, data being sent and received is vulnerable to eavesdropping or packet sniffing. Additionally, if the thief’s health info becomes mixed with your medical records, then your treatment could be affected as well, leading to prescription errors or incorrect diagnoses. And across the board, the providers from the survey ranked ransomware as their top “future threat,” and for good reason – ransomware can shut down entire hospital’s computer systems for weeks until the hospital finally agrees to pay the ransom.

So What Can Hospitals, and Patients, Do?

Other than taking a step back in time and going back to paper records, not much. Digital records and networked medical equipment are today’s reality and while better firewalls, antivirus and malware protection, and other additional security measures will help, the threat is going to remain. If you’re concerned about your patient records, talk to your medical provider and learn what precautions they have in place to protect you, and keep in mind the options you have to do everything your power to protect yourself from threats, such as:

  • Ask your doctor or healthcare office if they have a privacy officer.  If they do not have one or don’t know what a privacy officer is, then they likely aren’t HIPAA compliant, and you should consider going somewhere else. If they do have one, you can have them explain what steps they take to keep your medical records safe, thus ensuring that they have done everything possible to reduce external threats.
  • Ask for an “accounting of disclosures,” which lists who has received your records. By law, you are entitled to one copy per year from each provider.
  • Share only what you have to. Don’t give your Social Security number to health care providers unless you must, as with any and all other data such as your date of birth, driver’s license number, etc.