How the health care industry can thwart cyber thieves and protect patient records

Raj Ananthanpillai: ©Truame

Those who work in health care no doubt chose the profession because they were drawn to its primary mission – preventing and curing people’s health problems.

But one responsibility they likely did not sign on for is this: Guarding patient information from cybercriminals.

Yet, here the health care industry is in 2024, forced to address breaches that result in compromised personal information, apologetic letters to patients, and offers of free credit monitoring for those affected.

It doesn’t have to be this way, though – at least not to the degree that health care institutions are currently experiencing.

That is because one answer to this problem is reusable verifiable digital credential, which would protect both the patients and the health care companies. But before we get too far into an explanation of what a reusable verifiable digital credential is and how it works, let’s look a little further into why it is needed.

Examples are abundant. In February, Change Healthcare fell victim to a ransomware attack that put patients’ personal information at risk and caused other problems, such as temporarily disrupting prescriptions for some patients and paychecks for some medical workers. Change Healthcare, owned by UnitedHealth Group, manages health care technology pipelines. The Associated Press reported that the company processes 14 billion transactions a year, so the potential for abuse by cybercriminals was enormous.

In another chilling example, last year, hackers breached the security at HCA Healthcare, snatching the personal information of tens of millions of patients. The hackers wasted little time in offering the information for sale on a data-breach forum.

And the breaches keep rolling in, with 2023 being an especially daunting 12 months. Last year brought an all-time high for health care data compromises, according to the HIPAA Journal. The numbers: 725 data breaches of 500 or more personal information and records.

Unfortunately, the end of such breaches is not in sight. Just the opposite. With the evolution of AI technology and other online bot tools, these attacks will only get worse unless health care institutions start changing the ways they handle data.

After all, the reason criminals are so tempted to launch cyber attacks on health care institutions is the treasure trove of patients’ personally identifiable information that those institutions collect and store. The collection of some of that information is understandable. Doctors need to know a patient’s medical history, for example, to make sure they are providing the proper care.

But do they need a copy of the patient’s driver’s license? Do they need a patient’s social security number? Not really. These are just another way to verify identity and have no direct correlation to a person’s health care history. Likely, the patient has health insurance and that information is already stored in the insurance company’s records. Yet too often that information is requested along with date of birth, social security number, and other personal information, and patients dutifully provide it on forms that health care providers hand to them. And the institution that requested it now has the duty to keep it secure.

This is where change needs to happen. To protect this information from cyber-attacks in 2024 and beyond, health care institutions should consider adopting reusable verified digital credential. With this system, personal information is less likely to end up in the hands of cybercriminals, which also decreases the likelihood of people losing trust in the business.

Just what is a reusable verified digital credential?

It is a digital way for a person to prove they are who they say they are, without the need to repeatedly provide specific details. They would have no need to reveal their social security number, driver’s license number, birth certificate, or other information over and over again to a variety of government agencies and companies – including health care providers.

The consumer would have to provide their personal information one time for verification purposes when the digital credential is created. But after that, all the personal information is under their individual control and they would just present the digital ID or credential and the business or agency would know the person’s identity had already been verified. Since the specifics of social security numbers or other personal information would not have exchanged hands, the odds that cyber criminals could get their hands on the information would be greatly reduced.

So why hasn’t there been more movement toward this solution in both health care and other industries? Inertia and a lack of accountability for failing to protect information are a couple of culprits. Also, more regulatory guidance could help nudge everyone in the right direction – if, on the regulatory level, there were recommendations for ways to avoid taking in and storing the personal information that is so tempting to hackers.

Certainly, health care companies should do everything they can to protect patient information against cyberattacks, and many of them do spend large amounts of money trying to erect cyber defenses against cyber criminals. But hackers are clever and relentless and eventually break through the defenses. So the best strategy is not to have the information they seek to begin with in centralized databases. That way, when the final firewall falls, as far as the hackers are concerned, they are looking at the digital equivalent of an empty safe.

Yes, the health records would still be there, but how much value does it hold for the cybercriminal to expose the average person’s medical history?

The real danger is that these hackers could get their hands on a social security number, date of birth, or current address. That could lead to significant damage because those can be used for identity theft.

Health care companies are spending billions of dollars on data breaches, identity fraud, cyber insurance, and privacy compliance due to collecting and guarding unnecessary personal data. When such information is exposed, trust and privacy are eroded.

The health care industry will be better off when it can spend less of its time and energy on these cybersecurity concerns and focus more on its true mission of patient care.

Raj Ananthanpillai is founder and CEO of Trua (www.TruaMe.com), a technology company that has created the next generation of multi-channel and multi-modal reusable fully verified digital identity and screening solutions that ensure trust, assurance, and safety between customers and organizations.Ananthanpillai holds an M.S. in Engineering Physics and an M.S. in Electrical Engineering. In addition, he holds multiple U.S. patents and has authored two books.