That path leads straight to medical records.
Despite credit card companies finally imposing semi-mandatory card and card-reader upgrades to integrate EMV chips, the October 1 deadline ended up coming and going without much change in the standards of earlier adopters — who had already distributed EMV chip cards — and those who remained behind the security curve.
This poorly disguised vulnerability is what distinguishes a soft target: victims are prone, often unaware of their exposure, and represent a major criminal opportunity for even unsophisticated identity thieves or hackers.
Credit card companies compelled merchants and partners to begin incorporating EMV chips into cards in part because of their recognition that, compared with the rest of the post-cash world, the U.S. was significantly behind in terms of security standards and infrastructure. Although the roll-out has been slow (the October deadline was largely ignored or postponed by retailers looking to avoid any disruption of holiday shopping), the transition does mean more attention on financial security, and how technology and human behavior overlap.
A similar awareness is crawling across the U.S. healthcare landscape, as facilities and executives struggle to upgrade not just their hardware, but the operating procedures and guidelines for use that manage how people behave around sensitive data.
Health records combine a sweeping array of personal information (everything from Social Security numbers to biometrics, occupational data, and residential addresses) alongside detailed financial information (payment information including checking, banking, and credit accounts are increasingly incorporated as a result of integrated insurance and billing within the EHRs).
This information — especially in its current digital form — is more complete than what thieves typically get from credit cards, and thus provides greater potential value as a target.
Even after more than 110 million (documented) breaches of sensitive health data over the course of 2015 alone, this neglect looks poised to continue.
The same features of EHRs that make them more robust and efficient healthcare tools also make them a goldmine for identity thieves. But it isn’t just the nature of the documents that makes them so vulnerable — it is the ecosystem in which they are being created, maintained, and exchanged.
For one thing, a generation of strictly analog doctors are frequently ignorant of more modern, digital security measures they need to take. A lock on the filing cabinet doesn’t have a simple virtual equivalent that digital immigrants can easily apply out of habit.
With the rushed, disorganized push of the HITECH Act and Meaningful Use program to get U.S. hospitals onto digital Electronic Health Record (EHR) platforms, it has been common for the technology to go into use before appropriate training could be provided to the full range of end-users. Not only has this delayed realization of the full potential of the new EHR platforms, it has left security very much out of the equation.
The complexity of digital records systems new and old pose a significant learning curve for already overburdened healthcare professionals. But at an institutional level, it is still common for there to be a lack of clear standards and protocols mitigating human error and dictating behavior with respect to security entirely.
At an even higher level, there has not been a great deal of enforcement following major data breaches in the healthcare sector. Whether security is compromised internally or through an external hacking attack, federal watchdogs have by and large been more forceful in word than in deed. Threats are common, warnings are dire, but actual fines and penalties are rare.
Then there is the confounding issue of interoperability. Essentially, the mechanism that drove widespread adoption of EHRs didn’t fully account for the variation that existed among the various developers and enterprise EHR providers, and which ended up disrupting the sharing and exchange of records between their users.
The lack of a seamless exchange, along with the tendency to treat health records as proprietary to the originating care provider (as opposed to the property of the relevant patient under the stewardship of the provider) has made the digital records every bit as siloed and segregated as their paper-and-ink predecessors.
In the meantime, this confusion around mobility obscures the security measures put in place to guard the data where it lives.
Between EHRs and EMVs, the U.S. has put the burden of securing its data on technology without changing public behavior. Until that changes, 2016 is set to be another banner year for hackers and identity thieves.