As more medical records go online, government scrutiny lags

In the wake of the massive security breach at health-insurance provider Anthem, there's concern the health care sector is increasingly vulnerable to hacks because the industry has been transitioning from paper to digital records.

"Digitized health records are jet fuel for medical identity theft," said Pam Dixon, a researcher of medical data breaches for the World Privacy Forum.

She's concerned the federal government's $26 billion investment in electronic health records, is not secure.

"The healthcare system built a digital record system without building the corresponding privacy-security safeguards," said Dixon.

Federal law requires medical providers to protect patient data, but the Department of Health and Human Services admits -- to date -- it has audited only 115 healthcare providers out of an estimated 700,000.

van-cleave-gfxframe328.jpg
HHS reports it has performed 115 audits to ensure healthcare companies are adequately protecting patient data
CBS News

That comes as a recent survey of health care professionals found 45 percent fear their organizations have not properly implemented security measures. And healthcare data breaches continue to rise from 86 in 2011 to 333 last year, prompting the FBI to issue two warnings to the healthcare industry.

"There is a sense a medical record has value, that it can be sold for 50 or 100 times more than credit card data so that organized criminal organizations are attacking healthcare institutions," said Dr. John Halamka, the chief technology officer at Beth Israel Deaconess Medical Center in Boston.

They have increased spending on security after a breach two years ago. He showed us one of the highly secure data centers.

halamka-setupframe2283.jpg
Dr. John Halamka, left, talks to CBS News' Kris Van Cleave
CBS News

"Although more dollars are being spent on security, it's true that in general healthcare has under-invested in IT as an industry," Dr. Halamka told me. "The medical industry has catch up to do."

We've also found that when the federal government does take action against a provider with weak cybersecurity, it's often after a breach. HHS tells us they've reached 14 settlements with providers for $15 million.