Data Security Breaches at Target and Neiman Marcus: Could Your Medical Practice Be Next?
Guest post by George Bailey, senior advisor, health IT/security, Purdue Healthcare Advisors.
The recent large-scale data security breaches experienced by major retailers Target Corp. and Neiman Marcus provide opportunities for learning across industries. These data breaches are painful for the companies, shareholders and, certainly, for the consumers victimized by subsequent fraudulent transactions on their financial accounts.
But once the dust settles, will these 110 million consumers suffer long-term damage to their privacy and financial security? I would argue no. Surprised? I say this because most of the attributes compromised in the Target and Neiman Marcus data breaches are short-lived items. By “short-lived,” I mean bits of information that can be changed or replaced by the consumer.
For instance, charge card numbers can be changed and accounts closed; debit card PINs can (and should) be changed; lost funds can be reimbursed; and credit scores reinstated. Now I don’t want to imply that this cleanup is easy, quick or inexpensive to do. It’s not. But looking three to five years into the future, these data breaches—just as the T.J. Maxx breach in 2007—will have little-to-no lasting effect on those compromised.
For the healthcare industry, a data breach is a quite different. A patient’s social security number (contained many times within healthcare records), medical history, psychiatric notes and sexual preference are not considered attributes that are “short-lived.” While a social security number can be changed, it’s a difficult and time-consuming process. The other data contained in a healthcare record is very sensitive, private, and cannot be re-written, as it is there to guide physicians in providing optimum care. Once sensitive electronic patient health information (ePHI) is lost, stolen or leaked to the Internet, it can spread faster than the best Facebook gossip and be cached, indexed and copied to a seemingly endless number of devices.