IN THE NEWS: Stakes Are Rising for Protection of Valuable Health Data
With criminal networks prioritizing the acquisition of medical records above other kinds of data - even financial - the stakes are rising for health care systems working with thousands of small vendors and complex, aging technology.
Literally millions of patient records have been stolen over the past few years. Even giant insurers such as Anthem have been victimized.
The estimated total payouts and accumulated financial losses cost organizations over $5 billion in 2017, up from $1 billion in 2016, according to a report by the Coker Group, a healthcare consulting firm headquartered in Alpharetta.
The black market values patient medical records 10 to 40 times higher than credit card and Social Security Administration data, according to a variety of reports over the past few years.
Patient medical records contain not only social security numbers and personally identifying information, but sensitive medical information that could be used to blackmail individuals even years afterwards, according to Michele Madison, an attorney with Morris Manning & Martin LLP and chair of the Technology Association of Georgia's Digital Health Society.
“It's an area that (health system) boards have to really be focused on and deploy resources to deal with it,” Madison said.
The federally mandated switch to electronic medical records allowed hackers the potential to access those records through the Internet. Hackers can attack an electronic health record system from the outside by “spoofing” an EHR client into accepting the access as legitimate. The intruder can then intercept messages between EHR systems and patients with a “man in the middle” attack.
Ransomware attacks have also become more common. This type of malicious software takes control and locks down a computer. Its senders then threaten to publish the victim's data or block access to it unless a ransom is paid. More advanced malware can encrypt files, making them inaccessible even to cybersecurity experts.
One of the most notable of these attacks was the “WannaCry” ransomware worm that spread rapidly across a number of computer networks in May 2017.
Some attacks such as the massive breach at insurer Anthem, which involved 78.8 million patient records, were sponsored by foreign governments. Other attacks have been much closer to home - including internal employees who have access to and knowledge of VIPs, as well as ordinary patients.
Hospital executives have become increasingly concerned about the damage that can be done to their organizations when hackers gain access to clinical, financial, enterprise resource planning or accounting platforms. Criminals “could get in there and really see a lot of information, but also affect some changes in that information,” said Brian Symonds, a partner withTrustPoint Solutions, a healthcare IT services company in Suwanee.
Hackers can take control of unsecured computer systems, change encryption keys, and extort hospitals to restore access to the systems. This type of attack, known as ransomware, is particularly effective against hospitals who need real-time access to patient data for critical operations and so must pay up.
Hospitals have launched a host of measures to protect against hacking, ranging from improved technology to better education of employees about cybersecurity and the role they can play in protecting the organization. They upgrade encryption and launch strategic scrambling of personal health information, known as "deidentification.”
“It wouldn't be unheard-of for an existing employee to be able to snoop and obtain information depending on the level of access they had,” said Symonds.
Organizations are increasing looking at cybersecurity as an issue demanding the attention of the highest levels of leadership.
“It’s definitely a concern,” said Monique Hart, executive director of Information Security at Piedmont Healthcare, an Atlanta-based hospital system. “At Piedmont, it is one of our top priorities. Our board takes it seriously and we have support from the very top.”
Symonds notes that cybersecurity is an organization issue "that needs to be addressed holistically. It requires the privacy team, the compliance team, the legal team, clinical leadership, executive leadership, HR - everybody has really got a role to play in this," he said. "Those organizations that have put the appropriate governance and structure in place around decision-making and prioritization around these efforts and the funding of (cybersecurity) are the ones who are going to be the most successful going forward.”
Training employees to recognize risks and avoid those risks is a key to cybersecurity success in any organization. Continuing education programs cover issues including increasingly sophisticated phishing scams, or typically fraudulent email messages that appear to come from legitimate sources.
In addition to securing their own systems, health organizations are looking more closely at the vendors they use. A large number of organizations including health systems now store much of their critical data in the cloud rather than on onsite servers. Electronic health records are accessed as SaaS (software as a service) rather than from computer systems based in the hospital.
“These organizations have access to a lot of data,” said Cliff Baker, firm leader of Atlanta-based CORL Technologies, which provides vendor security risk management for large health systems. “They support a lot of critical operations and if they have a breach, the exposure is very high in terms of the data loss or loss of critical operations of the health systems.”
Large health system may use as many as 2,000 to 4,000 vendors, with more than half of those being smaller organizations, according to Baker.
“These companies sometimes just don't have the resource capacity to keep up with the security threats and exposures that are out there today,” he said. “They are the weak link for the health systems.”
Another danger for health systems is older and legacy applications they still use.
“Some of the systems can be very old systems that have not been upgraded to the latest security standards,” said Nadia Fahim-Koster, managing director and director of IT Risk Management at Meditology Services, which has offices in five cities including Atlanta. “Some of the systems are so old they’re not capable of being upgraded or the vendors have just not been forced yet to upgrade the systems to be up to speed with security standards.”
“Security is not something that's just a one-time, 'Here you go, here's the record protection you need,'” said Madison. “It's continuous because people are constantly trying to hack in, so you're constantly having to review your security policies and procedures.”
The original Atlanta Business Chronicle article can be found here.