An opportunity for proactive cyber defense
Many people may not realize it, but the health care sector is the fourth most targeted industry segment when it comes to cyberattacks.
Many people may not realize it, but the health care sector is the fourth most targeted industry segment when it comes to cyberattacks. The reason for this growing problem becomes clear when you examine the details of medical identity theft. Research has indicated that a stolen medical identity has a current street value of $50. Now compare that to the current street value of stolen credit card data that is about $1.50 per data set in that same period of time.
One 2010 study found that 1.42 million Americans were victims of medical identity theft with an annual loss of more than $40 billion. This figure is at least partially driven by the fact that nearly 60 percent of those surveyed say they don't ever check their medical records for fraud, according to one published study.
The Defense Department, in conjunction with the Veterans Administration, recently announced it would be accelerating its implementation of its Integrated Electronic Health Record (iEHR) system. When you combine these two efforts, it will produce the largest EHR system in the world.
The iEHR will serve 9.7 million military personnel through 59 military hospitals and 7.8 million veterans through 152 VA hospitals. As you can guess, cyber attackers will undoubtedly consider this a target-rich-environment with an estimated street value of over $800 million (based on the above metrics).
An even greater expense is the cost to resolve instances of medical identity theft. A 2012 survey revealed that, on average, an estimated 2 million Americans become victims of medical identity theft each and every year, with a mean value of roughly $41 billion. This represents a jump from the $30.9 billion estimated in 2011. The per instance cost also increase to $22,346 from $20,663 in 2011.
The DOD and the VA have the opportunity to get ahead of the curve and be proactive rather than the standard approach of being reactive on cybersecurity. They can build cybersecurity into this system rather than trying to bolt it on after the system is complete and nearing operation. They can take an aggressive cyber defense posture and even deliver the cybersecurity awareness training for all the users (patients as well as health care providers and IT staff) that will be accessing and managing the iEHR data.