ICIT report outlines ways breaches can ruin patients' lives


Healthcare executives’ “lackadaisical approach” to cybersecurity endangers the lives and futures of breach victims, who have little help or recourse for dealing with identity theft, according to a new report from the Institute for Critical Infrastructure Technology.

It looks at how healthcare information is exploited on the Dark Web, with the data often being sold multiple times. Such information also can continue to be sold for the rest of the victim’s life, the authors say in their tersely worded report, adding that "for some, such as children, this can drastically hinder their future financial stability and limit the potential lives that they could lead.”

The report lays out testimony the organization will present at a Senate hearing on Sept. 22.

Featured Webinar

Patient experience and the bottom-line impact on a practice

Practices that deliver exceptional experience often demonstrate strong financial performance and efficient operations. Join us to learn how to identify the most impactful connections between patient experience and financial performance, how to measure, track and improve patient experience as it relates to the bottom line, and identify patient experience measures that affect financial performance.

The authors also in the report write about cases where health security breaches negatively impacted individuals.

One example is a woman had a baby in Utah using the stolen medical identity of Anndorie Cromar to pay for the services. When the child was born with drugs in its system, Child Protective Services took custody of it and, assuming Cromar was a drug addict and negligent parent, went after custody of the real Anndorie Cromar’s other children. Cromar had to undergo a DNA test to remove her name from the infant’s birth certificate, and she spent years correcting her medical records.

“Once a hacker owns an EHR, they effectively own the victim,” the authors say. “Every patient record compromised from every healthcare organization has the potential to devastate and financially ruin a United States citizen.”

They say consumer protections have not kept up with the proliferation of data breaches. Meanwhile whole databases are sold through the Dark Web, usually in private, offline transactions, a practice that law enforcement struggles to stop.

The flow of data around a fragmented healthcare ecosystem also makes it vulnerable, with an HIMSS survey showing a lack of encryption of data in transit and at rest at many organizations.

It can be life-threatening if a person’s medical record is altered as criminals engage in medical identity theft--and the danger increases exponentially as the data is sold multiple times, the authors write.

Meanwhile, a new HITRUST paper urges organizations to move beyond prevention to cyber-resilience, accepting that breaches will occur and focusing on detection and response.

Suggested Articles

With large numbers of Americans skeptical of a COVID-19 vaccine, CVS views its pharmacists as playing a key role in assuaging fears, said its CEO.

The COVID-19 pandemic is driving enormous demand for virtual mental health care services. Here is how much utilization has increased during COVID-19.

The Trump administration has updated its reporting requirements for COVID-19 provider relief funds following pushback.