Good morning! I hope everyone had a restful and peaceful holiday.
I found this article from the WSJ to be interesting for two reasons and I wanted to share them with you and then get feedback.
The article covers the value of health information in addition to or combined with traditional identity theft involving your social security number or financial information. The article states the the going rate for a health record has risen to a range of $500-$1000. I say risen because I have been giving a presentation regarding record breach for quite some time and have been giving a slightly lower range of $300-$500 per record. I found this interesting because the article also states that health information breach has become increasingly problematic over the past few years (which I think anecdotally we all know). However, the rate for records has increased not decreased. I only say this because we are living in a unique time where the number of records flooding the "market" is higher than ever but are still demanding a premium for sale. Eventually, as with traditional identity theft, I would expect the market price per record to fall (because of supply).
Another interesting problem the article covers is the length of time health information breaches can take to clean up or even detect. Nightmare scenarios involving insurance fraud, denial of claims due to suspicious activity, spear phishing or pharmaceutical fraud are anxiety inducing.
OK, the second point I wanted to draw attention to and get feedback on is the security/regulation implications. The article states that companies are spending more on security and personnel than ever and that regulators are tightening restrictions and considering tougher standards moving forward. Both of which I think are a net positive for the security of patient information. I have been speaking with clients for the past two years about increasing regulation in our industry being inevitable.
What are your thoughts on the need for regulation to create buy-in on security standards?
How far is to far and what would a solid first step look like for the SMB space regarding security standards?