It is just over a year since the FBI issued a special warning to healthcare organizations that they should prepare for a strong increase in cyberattacks. Since then, in the wake of several new blockbuster HIPAA security breaches,  2015 has been coined as the “Year of the Healthcare Hack,” by concerned security experts hoping to add weight to the FBI warning. The latest security breach just announced by UCLA Health System — among the “most wired” health organizations in the USA — underscores just how much cyber danger faces healthcare. Here’s why….

It should come as no surprise  that UCLA Health System has announced the fourth biggest HIPAA security breach ever. On Friday it notified 4.5 million patients across four hospitals  that their protected health information and Social Security numbers had been compromised by hackers.

The healthcare industry’s painful cyberattack record thus far in 2015 includes the January hacker attack against Premera Blue Cross, which compromised the financial and medical data of 11 million members, and the Anthem cyberattack reported in February, when nearly 80 million members and employees were similarly affected. CareFirst announced a major hacking incident in May that exposed information of approximately 1.1 million consumers.

This series of mega attacks appears to confirm the worst fears of security experts that a new era of sophisticated cyberthreats targeting healthcare is here. For naysayers who would protest that four heavily press-reported incidents do not make an era, read the fine print in UCLA’s press release Friday: “In today’s information security environment, large, high-profile organizations such as UCLA Health are under near-constant attack. UCLA Health identifies and blocks millions of known hacker attempts each year.”

Security breaches in healthcare organizations are not new, of course.  Protected health data of nearly a third of the U.S. population — more than 120 million people —  has been compromised in over 1,100 security breaches since 2009, according to the Department of Health and Human Services. However, most security incidents in the past were caused by  physical security mistakes like lost or stolen laptops – not sophisticated cyber attacks on networks.  Verizon’s 2014 Data Breach Investigations Report reported that less than 1% of healthcare security incidents in 2013 were due to cyber-espionage. For example, the same UCLA hospital system reeling today from its massive network hack, also reported a security breach in 2011 — but it was caused by a laptop theft  from a former employee’s home.

The recent Health Care’s Most Wired survey claims that today’s most technologically advanced hospitals are aware of their increased security risks and are  taking strong steps to mitigate them. The 17th annual survey, released on July 9  by the American Hospital Association (AHA) and the American College of Healthcare Executives (ACHE) reported that “Hospitals are taking more aggressive privacy and security measures to protect and safeguard patient data. Top growth areas in security among this year’s Most Wired organizations include privacy audit systems, provisioning systems, data loss prevention, single sign-on and identity management.” Ironically, UCLA Health has been on the Most Wired list for three years. This fact is worrisome (an understatement at best).

What about average healthcare organizations that may not be among the “most wired?” It appears that they are at enormous risk. It is just a matter of time before hackers descend upon lower-profile hospitals with less protected IT systems, if they already aren’t doing so. A recent survey by the Healthcare Information and Management Systems Society (HIMSS) of nearly 300  health IT executives showed  that two-thirds had experienced a “significant” data security breach during the past year. Forty-two percent of responders believed there are “too many emerging and new threats to track.” According to the report, the top two barriers to mitigating cybersecurity risks were “a lack of appropriate personnel,” cited by 64%, and a lack of financial resources, 60%.“ Most respondents said that the “security tools currently available to them are insufficient to protect against the security threats and vulnerabilities” facing them.

The reasons for hackers’ strong new emphasis on healthcare organizations are many and complex. Detailing them is  beyond the scope of this blog post, but briefly,  key reasons for increased cyberthreats in healthcare include:

• Reduced potential for credit card fraud, which is causing hackers to look elsewhere for inventory to sell on the lucrative black market.  Credit card companies’ security improvements, including adoption of chip-and-PIN compatible payment requirements, are decreasing hackers’ formerly easy access to credit card information.
• The rise of electronic health records, without sufficient improvements in security measures. With the increased electronic availability of patient information created by EHRs, security experts are concerned that many EHR vendors have not incorporated adequate security protections to thwart determined hackers.  At the same time, investing in healthcare network and storage systems security upgrades has often taken a back seat to hospitals’ rushed efforts to meet Meaningful Use / MIPS deadlines.
• Attractiveness of personal healthcare information. Personal information held by U.S. insurers and hospitals commands high prices on the underground market, and has many uses including identity theft, medicare fraud, illegal drug purchases, and more. Unlike credit card theft which is often discovered early, causing quick card cancellations, healthcare information theft often takes months to discover.
• Healthcare continues to be more ill-prepared for cyber attacks than any other industry. According to the FBI in April, 2014, healthcare has “the highest volume of threats and the slowest response time ” of any industry.

The healthcare industry must make data security central to how it manages its information systems and protected health data. The industry is rife with examples of hospitals that have not completed independent security assessments in years — including organizations that have experienced data breaches. Despite growing concerns expressed by CIOS and IT Directors, we’ve seen little interest among CFOs and CEOs in making security investments. Healthcare quality and patient welfare have become increasingly victimized by concerns for ROI.

We have written frequently on the security risks within hospitals, and ways to mitigate them. The first step is to perform an objective analysis of existing strengths and weaknesses, with the goal of determining how to prevent breaches. Our Tom Grove wrote an excellent post on this subject recently; we recommend that you read it.

To discuss how we can help you develop an effective, sustainable cybersecurity program, contact us.