The value of data-centric security controls
The amount of healthcare fraud is enormous. In the United States in 2012, there was about $6 billion in payment card fraud. During the same time period, there was probably between $100 billion and $200 billion in healthcare fraud, and the U.S. government alone recovered over $4 billion in fraudulent healthcare payments.
It is hard to tell exactly how much healthcare fraud there is, as it is not always clear when an insurance claim is fraudulent. If someone bills your insurance company for four different appendectomies that they claim to have done, that is almost certainly fraud. But if someone bills an insurance company for hundreds of thousands of a particular healthcare gadget, that might be suspicious, but it might not actually be fraud.
Healthcare fraud is how cyber-criminals monetize the information that they get in data breaches of healthcare organizations. The demand for sensitive healthcare information is so great that the street price of stolen medical records is much greater than the street price of stolen credit card numbers.
Even though there is a huge amount of healthcare fraud, there are good reasons why protecting sensitive information has not been taken as seriously as we might like it to be by the healthcare industry.
Costs Versus Benefits
The decision to use any security technology is a tradeoff between costs and benefits. In the healthcare industry, those costs can actually include the loss of lives if investments are made in security technologies instead of in healthcare technologies. If you need to choose between buying a new MRI machine and software that will encrypt email, one of these options directly improves outcomes for patients while the other does not. So it is easy to understand why healthcare organizations might be reluctant to invest in additional protection of sensitive information.
The healthcare industry is a good example of what economists call the “principal-agent problem,” where the goals of one organization do not align with those of an organization that can affect the first organization in some way. The health insurance companies (the principal) want to provide high-quality healthcare at a low cost, but the healthcare providers (the agent) want to save lives. In this situation it should not be surprising if the providers are less concerned about fraud than the insurance companies are, as the providers do not pay most of the cost of the fraud; insurance companies pay.
There are other significant differences between healthcare fraud and other types of cyber-crime. Research suggests that other types of fraud like welfare fraud and tax evasion cost each citizen a few hundred dollars per year. That is roughly comparable to the per-person level of healthcare fraud. But while the costs of both law enforcement efforts and defenses for traditional types of fraud are good investments because they save much more than the costs of the amounts stolen, the same are not true for cyber-crimes.
It is much harder for law enforcement officials to investigate and prosecute cyber-crime than it is for them to deal with more traditional forms of crime. This means that both data breaches of healthcare organizations as well as the use of the misuse of the data obtained in the breaches are much less likely to be successfully investigated and prosecuted by law enforcement, leaving their perpetrators free to commit more data breaches and more fraud in the future.
While it can be hard to make a clear and convincing case for the use of some security technologies one of the technologies for which there seems to be a compelling business case is encryption. The careful cost-benefit analysis done by Kevin Soo Hoo while at Stanford University suggested that using encryption to protect sensitive data was one of the few security technologies that’s use could easily be justified. Despite this, encryption is still not widely used in the healthcare industry, perhaps because of its reputation for being difficult and expensive to use.
Encrypting sensitive information is a good way to protect it from misuse by cyber-criminals, but a lot of sensitive information still is not encrypted. As the healthcare industry starts to look more seriously at using encryption it will have one advantage that other industries have not had. That is because other industries have recently gone through the process of encrypting the sensitive information. This has created a significant body of knowledge about what works in practice and what does not, both with encryption and related technologies like key management. By taking advantage of this experience, the healthcare industry can save lots of time and money.
Learn from the Experiences of Others
While the healthcare industry has been slow to adopt encryption technologies, organizations involved in processing credit and debit card transactions have spent the past 10 years learning how to protect sensitive payments information. This has not been easy. The Payment Card Industry Data Security Standard (PCI DSS) and its supporting documents have been revised more than once to reflect the lessons learned as organizations have worked to do this. What seemed impossible or impractical 10 years ago is now done on a routine basis.
The amount of healthcare fraud is huge and encrypting sensitive healthcare information is a good way to help reduce this fraud. But by taking advantage of what other industries have learned about how to encrypt sensitive information, the healthcare industry can avoid several years of headaches. And because the people who have worked through the difficulties of complying with the PCI DSS are often very willing to talk about what they learned in this process, there is no reason for people in the healthcare industry to not take advantage of what their peers in other industries already know.
The regulatory environment is strongly pushing healthcare organizations towards encrypting sensitive healthcare information. But do not reinvent the wheel when you go to implement this; it is too painful and too expensive.