Over the next four years, the amount of personal medical information online will increase exponentially, opening up new avenues for hackers to expose personal data that, unlike financial information, can result in a permanent violation of privacy.
The U.S. Department of Health and Human Services (HHS) has set a deadline of 2015 for healthcare facilities to being using electronic health records (EHRs), thereby ushering in the digitalization of all patient information. As patient data is aggregated on health networks, it becomes a bigger target for those who want to steal it and exploit it on the Internet, experts say.
According to research firm IDC, about a quarter of all Americans -- 77 million people -- already have an EHR, up from 14% from in 2009. By 2015, IDC expects that figure to rise to 60%, spurred in large part by the Health Information Technology for Economic and Clinical Health (HITECH) Act. That measure, approved by Congress last year, included $19 billion in incentives for health care organizations to adopt EHRs.
Industry experts estimate that the amount of personal health data kept online measures in the terabytes -- and will grow to petabytes of data over the next four years.
It's not so much the quantity of information that could be a problem; it's the different sources of data, its diversity of data and the various network infrastructures on which it resides that could overwhelm the U.S. health system and pose significant risks to privacy, according to Sia Zadeh, director of business development for security software vendor Axway Inc.
According to a recent report by IDC's Health Industry Insights division, health care providers believe it will take a major security scandal to compel organizations to take security seriously.
A major health care data breach is inevitable, said Dr. William Braithwaite. He wrote portions of the Health Insurance Portability and Accountability Act of 1995 (HIPPA) and has since contributed to federal health care regulation.
"As we build EHRs, that puts more information in place, so the risk that someone will go after that information increases," said Braithwaite, now chief medical officer with security software vendor Anakam Inc.. "If we don't understand the threat model we're dealing with, we're leaving the back door open; in fact, there will be no back door because they're already in the house."
HIPAA Security Rule requirements call for data encryption where needed, as well as data access control methods such as automatic logoff. But neither would protect against sophisticated malware attacks that target applications.
Health care information is one of the trickiest types of data to exchange online -- and encrypting it won't protect against Web attacks, according to Dr. Taher Elgamal. He led the development of secure sockets layer (SSL network encryption) as the chief scientist at Netscape, and is now the chief security officer at Axway.