A report from Accenture warns that the total cost of cyber attacks on U.S. health systems could total $305 billion over the next five years.
Painting a grim picture of the near future, Accenture said that cyber attacks against health systems will affect one in every 13 patients – or 25 million people, with as many as 6 million the victims of follow-on attacks like identity theft.
The report, released this week, used historical security breach data from the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) to project the number of patients likely to be affected by healthcare provider data breaches from 2015 through 2019.
According to OCR data, close to 1.6 million people had their medical information stolen from healthcare providers last year alone. Accenture combined that with medical identity theft information from Ponemon Institute to calculate the number of affected patients who would become victims of medical identity theft and quantified the patient revenue that would be put at risk (the $300 million figure) based on that.
Understanding risks and potential threats can help stave off attacks or limit the damages they cause. But healthcare organizations are ill prepared to do so, Accenture says.
“If healthcare providers are complacent to safeguarding personal information, they’ll risk losing substantial revenues and patients as a result of medical identity theft,” said Kaveh Safavi, M.D., J.D., managing director of Accenture's global healthcare business, in a statement.
If anything, Accenture’s estimates seem low. Already this year, tens of millions of U.S. residents have had information exposed in targeted attacks on healthcare organizations and third party service providers. In May, for example, four million patients of more than 230 hospitals, doctors' offices and clinics had patient data exposed in an attack on the Fort Wayne, Indiana firm Medical Informatics Engineering (MIE) and its NoMoreClipBoard electronic health records system, according to the Indiana Attorney General.
That breach affected 1.5 million in Indiana alone - almost a quarter of the state’s population - according to a statement by the Indiana Attorney General’s Office, and hit healthcare organizations from across the country ranging from prominent hospitals to individual physicians’ offices and clinics.
In February, the healthcare firm Anthem said that information on more than 78 million individuals was accessed by hackers. In March, the health insurer Premera Blue Cross said information on as many as 11 million members and employees was exposed in a breach of its network that may have lasted months.
Healthcare organizations have become far more exposed to online incidents in recent years, as generous federal subsidies have encouraged the adoption of electronic health record (EHR) systems. The Federal Government is now trying to encourage secure practices around EHR deployments to prevent further incidents.
As we wrote last week, new guidelines from the U.S. Government's department of Health and Human Services (HHS) will require healthcare providers who want to qualify for big federal subsidies for the adoption of electronic health record (EHR) technology to prove they are addressing the security risks posed by them.
As for the $300 billion figure – that number also has to be looked at with skepticism. As this blog has noted, cost estimates for data breaches are all over the map and there is little correlation between the size and cost of a data breach. That’s because the theft of even a small amount of the right types of data can be very expensive and, conversely, the theft of huge quantities of other kinds of data (say credit card numbers) might not lead to large amounts of fraud or penalties. A study of cyber insurance claim data released by the firm NetDiligence, for example, put the average cost per record lost at $964, but the median cost per lost record at just $13. And there’s evidence that even that smaller number is likely off – and maybe by a factor of 10 or more. The healthcare firm Anthem has estimated the costs of its breach as landing more in the neighborhood of $100 million – slightly more than $1 for each of the 78 million records it claims were exposed in the attack.
Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.
