It’s hard to believe that a stolen medical record can be worth more than five times someone’s credit information on the black market. But, this is because personal information cannot be changed and can go a lot further – names, birthdays, SSNs, addresses can all be used for identity theft, healthcare fraud, and other various crimes. This week, healthcare IT leaders participated in Poliltico’s health IT advisory forum to discuss how the industry can ensure security at an affordable level. Cybercriminals have begun to tune in their focus on hospitals and other healthcare organizations, especially due to the healthcare industry’s notoriously poor reputation on cybersecurity as more than 100 million Americans have had their medical data breached in the past year. This raises the question, who’s to blame?
Among the healthcare insiders, different perspectives tend to drive the blame as hospital leaders often focus on security holes within their organization while vendors tend to focus on external cyberattacks. However, the real blame can be attributed to the human element. “I have overseen security for many organizations and at the end of the day the most common root cause to any of our failures related to people,” said an executive at the forum. “People are your first and last line of defense.” Another vendor executive added, “The biggest cause of data breaches in health care remains bad data hygiene on the part of users of health data systems.” As a result, the focus on better cybersecurity practices should start at the front line. Hospitals and other health care organizations must first put more emphasis on training their employees to think before clicking the mouse. However, human error is not the only culprit; others blame the government. Multiple panelists at the forum expressed concern that Congress and other lawmakers lack cybersecurity knowledge, outdated regulations bog the industry down, and that the government needs to protect health care organizations and better work with industry firms rather than attacking them to score political points. While progress needs to be made on many levels including employee IT training, better cybersecurity systems and practices, and an appropriate amount of government assistance, it is clear that cybercriminals will not stop until there is nothing left to steal.