It seems like every day we hear about new data breaches, some of which aren't discovered until months after the fact, yet there's a constant push to digitize more and more of our personal data so it can be accessed online. In light of an array of publicized data breaches, a new bill was introduced in Congress, the "Personal Data Protection and Breach Accountability Act of 2011." It has good intentions, seeking to make companies accountable for the data they store in hopes of improving digital security and decreasing the time it takes to respond to data breaches. Sounds good --but we're all well aware that whether it's a book, movie or legislation, well crafted titles alone, don't always paint a true picture of the end results. When proposed legislation is passed without first dealing with potentially harmful consequences that could arise --whether or not there were good intentions doesn't matter---and neither will the intent of the law.
If the highly-public attacks by the Lulz Security group of rogue hackers a few months back proved anything, it's that there's always a security risk even if you have top-of-the-line security. That organization seemed to effortlessly penetrate the security of any target it sought out, even government targets that you would think are impenetrable. Is it a good idea to make companies more accountable for data breaches? Of course. Will it solve the underlying problem of hackers wanting to get to sensitive data? Not in the least.
Technology advances continue to allow us instant access to personal data. That instant access doesn't come without high risk. A study released recently by the Digital Forensics Association shows that there have been over 806.2 million records disclosed as a result of data breaches in the past six years, as detailed in this press release: New Data Breach Study Shows Over 806.2 Million Records Disclosed, Estimated Cost of $156.7 Billion
The estimated financial damages for these disclosures are around $156.7 billion. Think about that for a second; that's well over twice the population of the United States, and over ten times more than the amount spent in the Detroit automakers bailout. And despite these staggering figures, we're moving full speed ahead with the digitizing of medical records and other personal data in hopes that it will save us money on healthcare and social services.
Just last week it was revealed that 20,000 patients who visited the Stanford Hospital emergency room in Pal Alto, California had their patient records available for all to see online for almost a full year.
That breach follows an August report that indicated somebody at the consulting firm, Southern California Medical-Legal Consultants, which handled workers' comp information for doctors and hospitals seeking payment, overlooked crucial security steps that exposed 300,000 files - doctors' notes, patients' personal data and in some cases, Social Security numbers - leaving the database available to indexing by search engines --ultimately leaving the records viewable by anybody who Googled them.
Last September the New York-Presbyterian Hospital and Columbia University Medical Center revealed that 6800 patient files were leaked online, and that leak included some Social Security numbers. More health record vulnerabilities and stories like these can be found across the nation, at hospitals that in some cases don't even use basic security measures like firewalls and encryption software. Yet these same hospitals are taking billions of dollars in incentive payments from the government to transfer their paper records to digital files.
Data breaches, hackers and other cyber-criminals are a dime a dozen, and the sense of urgency in transferring all of these personal health records to digital versions is surprising given the risks involved. It's like putting cheese in a tiny little mousetrap and hoping that it will stop great big rats. If patient data is stolen it can potentially put patient lives at risk. The damage caused by medical identity theft and insurance scams can be costly and take years to repair. I worry that nobody is taking the risks seriously.
I'm not saying that access to digital health records won't eventually be useful, but until we start taking HIPPA privacy laws, medical identity theft and data security seriously, it's nothing but a liability. And there's no amount of legislation or bills with good intentions that are going to change that. Don't get me wrong -stronger consumer protection laws relating to fraud solutions are necessary -but we need to ensure that it's scrutinized for both intended and unintended consequences that may result with its passage.
The good news: Law enforcement agencies, businesses and individuals can (and should) take advantage of available training seminars and resources that raise awareness to the latest fraud trends and promote cyber security awareness.
The bad news: Hackers continue to educate themselves on new hi-tech devices and emerging technology that aids them in accessing and then selling personal data.
The reality: Laws don't stop lawbreakers. As the digitization of personal data moves forward, the need for public education and personal identity monitoring grows stronger than ever.
Leave a comment