July 20, 2015
It is just over a year since the FBI issued a special warning to healthcare organizations that they should prepare for a strong increase in cyberattacks. Since then, in the wake of several new blockbuster HIPAA security breaches, 2015 has been coined as the “Year of the Healthcare Hack,” by concerned security experts hoping to add weight to the FBI warning. The latest security breach just announced by UCLA Health System — among the “most wired” health organizations in the USA — underscores just how much cyber danger faces healthcare. Here’s why….
It should come as no surprise that UCLA Health System has announced the fourth biggest HIPAA security breach ever. On Friday it notified 4.5 million patients across four hospitals that their protected health information and Social Security numbers had been compromised by hackers.
The healthcare industry’s painful cyberattack record thus far in 2015 includes the January hacker attack against Premera Blue Cross, which compromised the financial and medical data of 11 million members, and the Anthem cyberattack reported in February, when nearly 80 million members and employees were similarly affected. CareFirst announced a major hacking incident in May that exposed information of approximately 1.1 million consumers.
This series of mega attacks appears to confirm the worst fears of security experts that a new era of sophisticated cyberthreats targeting healthcare is here. For naysayers who would protest that four heavily press-reported incidents do not make an era, read the fine print in UCLA’s press release Friday: “In today’s information security environment, large, high-profile organizations such as UCLA Health are under near-constant attack. UCLA Health identifies and blocks millions of known hacker attempts each year.”
Security breaches in healthcare organizations are not new, of course. Protected health data of nearly a third of the U.S. population — more than 120 million people — has been compromised in over 1,100 security breaches since 2009, according to the Department of Health and Human Services. However, most security incidents in the past were caused by physical security mistakes like lost or stolen laptops – not sophisticated cyber attacks on networks. Verizon’s 2014 Data Breach Investigations Report reported that less than 1% of healthcare security incidents in 2013 were due to cyber-espionage. For example, the same UCLA hospital system reeling today from its massive network hack, also reported a security breach in 2011 — but it was caused by a laptop theft from a former employee’s home.
The recent Health Care’s Most Wired survey claims that today’s most technologically advanced hospitals are aware of their increased security risks and are taking strong steps to mitigate them. The 17th annual survey, released on July 9 by the American Hospital Association (AHA) and the American College of Healthcare Executives (ACHE) reported that “Hospitals are taking more aggressive privacy and security measures to protect and safeguard patient data. Top growth areas in security among this year’s Most Wired organizations include privacy audit systems, provisioning systems, data loss prevention, single sign-on and identity management.” Ironically, UCLA Health has been on the Most Wired list for three years. This fact is worrisome (an understatement at best).
What about average healthcare organizations that may not be among the “most wired?” It appears that they are at enormous risk. It is just a matter of time before hackers descend upon lower-profile hospitals with less protected IT systems, if they already aren’t doing so. A recent survey by the Healthcare Information and Management Systems Society (HIMSS) of nearly 300 health IT executives showed that two-thirds had experienced a “significant” data security breach during the past year. Forty-two percent of responders believed there are “too many emerging and new threats to track.” According to the report, the top two barriers to mitigating cybersecurity risks were “a lack of appropriate personnel,” cited by 64%, and a lack of financial resources, 60%.“ Most respondents said that the “security tools currently available to them are insufficient to protect against the security threats and vulnerabilities” facing them.
The reasons for hackers’ strong new emphasis on healthcare organizations are many and complex. Detailing them is beyond the scope of this blog post, but briefly, key reasons for increased cyberthreats in healthcare include:
The healthcare industry must make data security central to how it manages its information systems and protected health data. The industry is rife with examples of hospitals that have not completed independent security assessments in years — including organizations that have experienced data breaches. Despite growing concerns expressed by CIOS and IT Directors, we’ve seen little interest among CFOs and CEOs in making security investments. Healthcare quality and patient welfare have become increasingly victimized by concerns for ROI.
We have written frequently on the security risks within hospitals, and ways to mitigate them. The first step is to perform an objective analysis of existing strengths and weaknesses, with the goal of determining how to prevent breaches. Our Tom Grove wrote an excellent post on this subject recently; we recommend that you read it.
To discuss how we can help you develop an effective, sustainable cybersecurity program, contact us.