Data thieves are getting craftier with their methods-and are actively targeting healthcare records.
To criminals, your practiceâs most valuable asset isnât a high-tech medical device or a pricey piece of diagnostic equipment. Itâs your patient records.
Those records are the asset most vulnerable to theft, too.
What does that mean for physicians? Plenty. In an increasingly interconnected industry, an attack on one could affect many. Every player in the systemâfrom the largest hospital system down to rural solo practitionersâis facing a heightened risk.
âThere could be a consequence upstream if thereâs a breach. A breakage or disruption at one site can have that cascading effect,â says Lee Kim, JD, FHIMSS, director of privacy and security at the Healthcare Information and Management Systems Society, a nonprofit organization focused on improving healthcare through information technology.
Further reading: Tips to improve cyber security and protect your practice's finances
Consider the findings from the Ponemon Institute, a public policy think tank. Its recent report, âThe State of Cybersecurity in Healthcare Organizations in 2016,â found that the 535 healthcare organizations surveyed averaged almost one cyberattack per month over the past 12 months. Moreover, 48% of the IT and IT security practitioners polled said that their organizations experienced an incident involving the loss or exposure of patient information during this same 12 months.
Perhaps more telling is how respondents, who come from various healthcare organizations and government agencies, feel about their ability to protect and respond: Just one-third said theyâd rate the cybersecurity at their organization as very effective.
A more chilling observation comes from the Institute for Critical Infrastructure Technology and its report, Hacking Healthcare IT in 2016. It pegged the industry as the most targeted, yet least prepared for, cybersecurity threats.
The impact of the healthcare industryâs cybersecurity stance is significant: According to the Office of Civil Rights (OCR), 2015 saw 253 healthcare data breaches affecting 500 or more individuals. Together, those breaches affected more than 112 million records. Meanwhile, the Bitglass 2016 Healthcare Breach Report has found that one in three Americans have been victims of healthcare data breaches.
More technology news: Why is EHR use dropping?
Tom Stafford, PMP, vice president and CIO of Halifax Health, a hospital system headquartered in Port Orange, Florida, says the recent rash of cyberattacks against healthcare institutions is prompting executivesâboard members, upper management, IT leaders and cybersecurity expertsâto put even more attention on security measures.
âIt is amazing how much the waves of attacks have increased ... but we should have all seen this coming. Thereâs been enough discussions around cybersecurity in the past few years. So it was just a matter of time before hackers came after healthcare,â he says.
The cybersecurity threats impacting the healthcare sector arenât much different than the ones affecting other industries. In nearly all cases, the cyber criminals are looking to make money, says Mark Ford, CISSP, principal at Deloitte & Touche LLP and Life Sciences & Health Care Cyber Risk Services leader with Deloitte Advisory.
The February attack on Hollywood Presbyterian Medical Center is a case in point. Hackers used malware to lock up the institutionâs computers and then demanded 40 bitcoin, about $17,000, to free the system. (The hospital paid the ransom.)
Although ransom attacks are making news now, cybercriminals are much more likely to go after the data that computer systems holdâjust as they do when attacking stores and financial institutions and other types of businesses, Ford and others say.
However, hackers attacking healthcare arenât after credit card numbers; theyâre looking for data-rich electronic health records (EHRs), security and healthcare experts say. âThe reality is itâs profitable,â Peter B. Nichol, PMP, CSSMBB, a healthcare expert with PA Consulting Group, says of these attacks.
Top technology news: Telemedicine boosts patient engagement, should remain priority for physicians
A former chief information officer and former head of IT for Connecticutâs Health Insurance Exchange, Nichol says a credit card number sells for $2 on the black market while a health record goes for $20 or more.
Credit card numbers, and other financial data such as bank account numbers, have short shelf lives on the black market. But EHRs contain multiple types of data that can be used fraudulently but are difficult, if not impossible, to change. A typical health record has a patientâs name, address, age, employer, Social Security number and spouseâs informationâall of which can be used for identity theft.
A typical record also includes health insurance information as well as prescription drug data, which thieves can use to seek medical care at the expense of someone else and/or obtain drugs that they can either use themselves or sell on the black market.
âBanks have such great analytics and they can spot an erroneous transaction and can in seconds notify you and shut down a stolen credit card number. And [hackers] know the bank can turn one off right away, which is the exact opposite of medical information,â says Ryan Witt, who, as vice president and managing director of Healthcare Industry Practice at Fortinet is working with the nonprofit organization WEDI to develop cybersecurity material for healthcare.
One of the challenges of this increasingly networked world is enabling necessary connections while blocking the unauthorized or dangerous ones. âItâs a balance between how much you protect yourself vs. how much youâre obstructing a team member,â Stafford says.
Healthcare IT and cybersecurity experts say the sophistication of attacks has been increasing and that most cybercriminals aim to stay undetected for as long as possible, giving them more time to find as much data to exploit as they can.
Hackers do that by finding weak spots in computer systems. An office administrator could fall for an email phishing scheme. A doctor could unwittingly download a malicious app. A researcher could lose a laptop with weak password and encryption protection. Hackers working in a waiting room could get in via an unsecured Wi-Fi connection, or they could drop USB flash drives near workstations to trick employees into thinking theyâre authorized for use when in fact they contain malware.
And once into a practiceâs system, cybercriminals may be able to go far, using it as a gateway into the vendors and partners connected to the computer system that was first hacked. âItâs a real concern and not farfetched at all, this machine-to machine type of attack,â Witt says.
The consequences of a data breach range from costly to catastrophic. In its 2015 Cost of Data Breach Study: Global Analysis, the Ponemon Institute put the average cost of a healthcare breach in the United States at $398 per exposed personally identifiable record. (Thatâs significantly higher than the $217 average per exposed records across various industry sectors.) The investigation, remediation, notification, credit monitoring and other possible costs, such as fines and legal bills, add up quickly.
âThe implications to a practice are very, very significant,â says Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC). âWhen you look at stakeholder level of trust, what patients think of doctors, if their information is compromised, the patients will go somewhere else, regardless if the patient has a long-standing relationship with that doctor. The practice would have to report [the breach] to Office of Civil Rights, which can fine the practice. And it will be in the newspapers. A practice could easily go out of business.â
Others see even more serious consequences, with breaches crippling an organizationâs ability to provide care. Ford, for example, says a hacker could launch an attack like the one that hit Hollywood Presbyterian Medical Center.
âThatâs really scary because that changes the game a bit. Peopleâs lives can be at stake if you lock up a system like that,â he says, adding that some have voiced concerns that terrorists looking to inflict harm could carry out similar types of attacks aimed at disrupting the nationâs ability to provide critical healthcare.
Think thatâs far-fetched? Consider the 2014 cyberattacks on Boston Childrenâs Hospital that disrupted patient and hospital personnel access to certain files. The attack was allegedly carried out by the infamous computer hacker network known as Anonymous over a highly-publicized 2013 case in which hospital officials accused the parents of a sick teenager of medical child abuse.
Many IT professionals are hesitant to talk about the cybersecurity measures they have in place or the challenges they face. As one security consultant explains: If they say theyâre doing well, itâs like a issuing a challenge to would-be hackers. If they say they need work, itâs like painting a target on their systems.
Still, thereâs widespread agreement that the healthcare industry needs to strengthen its security measures.
âTo be resilient, you need to plan and think about your controls and structure and be able to adapt quickly,â Ford says. He adds that organizations must start by understanding what data they have, what theyâre connected to, what protections they have and what risks they face as well as what would happen if an attack occurred.
âYou have to go through some comprehensive analysis to understand what your risks are and whether you have the proper structures in place to respond,â he says.
In addition to employing standard best practices such as regular cybersecurity training for staff, Barrett says he recommends that organizations hire an outsider to review and test their security strategies as well as earn an industry accreditation or certification that shows they meet cybersecurity standards.
Stafford noted that among the best practices in cybersecurity is to require anyone connecting to your networkâvendors, suppliers, insurers, medical partnersâto prove that they, too, have in place appropriate cybersecurity measures.
âYou have to do the due diligence, so whomever youâre working with you know theyâre doing cybersecurity audits and risk assessments, too,â he says.
Barrett, Ford and others cybersecurity experts concur, saying every organization should have in their agreements with other entitiesâmedical facilities, vendors, insurers, etc.âprovisions that specify the minimum cybersecurity measures they must have in place.
âThe industry is putting the onus on those who have data to do their due diligence and make sure their systems are secure,â Ford says.