Health Care Targeted

Stealing medical records can be profitable for hackers, says Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission.

Comments Views

​Why are hackers targeting health-care companies?

Individual patient records are loaded with private data that can be used for medical fraud, including buying drugs for resale and submitting false claims. We’re not just talking about financial data, but also the details of patient diagnoses, treatment plans, and medications. Some estimates place the value of this information at US$5 per patient record compared to US$1 per credit card record because patient records not only specifically link this medical information to a patient identity, but also the theft is often not immediately identified like credit card fraud can be by financial institutions.

How can internal auditors help boards turn their concern about cybersecurity into concrete action?

Internal auditors need to discuss with their boards not only the cost to recover from such an exposure but also the reputational risk from these types of incidents. They need to know what actions can be managed internally and when a third-party review is needed to objectively evaluate an organization’s policies, procedures, controls, risk assessment, and intrusion detection.

How can internal auditors help boards turn their growing concern about cybersecurity into concrete action?

A major data security breach can have a deep and lasting impact on the future viability of an organization. Internal auditors need to discuss with their boards not only the cost to recover from such an exposure — including loss of business and prospective fines/penalties from the U.S. Office for Civil Rights — but also the reputational risk from these types of incidents. They need to know what actions can be managed internally and when a third-party review is needed to objectively evaluate an organization's policies, procedures, controls, risk assessment, and intrusion detection. Third-party reviews can also be valuable in assessing and auditing physical sites where protected health information is stored or exchanged. This includes both covered entities and business associates such as offshore and cloud service providers.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

 

 

Comment on this article

comments powered by Disqus
  • IIA AuditBoard_Nov 2019_Premium 1
  • IIA GAM_Nov 2019_Premium 2
  • IIA OnRisk_Nov_Premium 3