Recently, CEO Anne Genge shared her insights on cyber-security in the health industry with host Eric Michaels of eHealth Radio.
Listen to the full interview here: http://ehealthradio.podbean.com
Eric Michaels: Why should the average consumer be concerned about data breaches in healthcare?
Anne Genge: I find people are surprised when they find out there’s actually over a billion stolen health records already for sale on dark web.
Health information is some of the most sensitive details about an individual, and this includes diseases, medications, mental health, and disabilities.
Personal health information is not like a credit card that can be changed, and charges reversed; it’s some of the most potentially embarrassing information about a person, and it stays with you forever. Once it’s out there, you can’t pull it back.
EM: How many places could this healthcare information reside for a typical person?
AG: If you think about all the places you’ve filled out one of those health history forms: it could be at your doctor, dentist, or perhaps you’ve visited the emergency room of a hospital; there’s also your prescriptions at the pharmacy, and visit to the chiropractor.
Many people can list 8-12 different locations where their sensitive health information has been collected.
EM: What is it about healthcare information that makes it a target for hackers?
AG: Right now there are 2 major issues facing healthcare. Data theft is a number one, because cyber criminals can make big money off selling information to the highest bidder.
A health record contains all the best details for identity theft, and can pull up to $1,000 per record on the dark web. Credit card records that may only pull $1 or up to $100. So you see, they can make a lot of money off of these.
The second biggest problem, and we’ve seen lots of this lately, is something called RANSOMWARE. This is a tactic used by cyber-criminals to lock down all the data in an organization until they pay a ransom.
Hospitals and other healthcare are big targets because cyber-criminals know that maintaining access to the electronic data is literally life and death. So they’re easy organizations to put pressure on to get them to pay and unlock these files.
EM: What is one thing consumers should know about the security of their data at those offices?
AG: Sadly, if you’ve been watching the news, you will have noticed that these attacks on healthcare are becoming a growing global problem in the past couple of years.
Even large organizations, governments, and hospitals – all with huge budgets and large teams of security professionals – can’t seem to keep our information safe.
Now imagine how much worse it is in a smaller healthcare environment, like dentists and physicians, who have smaller budgets and less access to those cyber security tools and people.
And yet, they still need to protect our health data with the same vigour as the big-budget guys, because they collect all the same information that needs protecting. It’s a big problem that needs fixing.
EM: If healthcare practitioners don’t have the right level of security in their offices, where does that leave us, the patient?
AG: Obviously, I’m a stakeholder in cyber-security, but I’m also a patient, like most listeners, and I’m a parent. In this capacity, especially, I’m gravely concerned.
If we think about that statistic that I talked about earlier: over 1 billion records already breached and for sale by cyber-criminals, that means that 1/8 of the population is already exposed.
That’s a lot of personal details floating around for public consumption, and most certainly will have grave consequences for many individuals…when it comes to future employment, relationships (people sometimes disclose personal details about another person), families, insurability (insurance companies would surely be very interested in what’s in those files).
EM: If the healthcare industry is simply not prepared for the challenges they face in data security, what can the consumer do?
AG: Consumer awareness needs to continue, and we need to put pressure on healthcare and other businesses collecting our data. We need to ask more questions.
Ask to speak to the privacy officer – this is your legal right. Ask them what they’re doing to ensure your information isn’t being accessed by the wrong people or other unauthorized personnel. Ask what they specifically do in their office to ensure your medical records aren’t lost or stolen. According to law, there needs to be someone in charge of that in their organization.
There was a terrible case in California in September in a medical practice, who is now going completely out of business. They had ransomware and didn’t have an uninfected backup copy of their records. First off, that’s a reportable breach, but then consider that almost 6,000 people have lost their entire medical records. Most people don’t have those or carry them around.
This huge problem needs to be fixed, and there needs to be more awareness in these businesses and amongst the healthcare professionals who are collecting this information
I’d love for the general public, consumers in healthcare, and anyone else to start poking the bear! I’d love to see them asking a lot more questions, and being advocates for the safety of their own information.
EM: Do you have any parting information, or a pro tip you want to share?
AG: In that same advocacy zone: for consumers or patients who are concerned about how businesses, governments, and healthcare organizations should handle their data…they can find out more by contacting the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.
I encourage them to learn more about what organizations are legally bound to do to protect our information. Why should they safeguard it? What’s the difference between safeguarding financial and privacy information, and why you need both? Learn what you’re legally entitled to as a Canadian Citizen.