The healthcare industry has quickly adopted software systems and digitized healthcare data, partly due to federal reforms and regulations. While other industries adopted computerized systems at their own pace, hospitals and clinics had to do so on an accelerated schedule. In this race to comply with regulations, few organizations paid attention to security.
Hospitals, clinics, software vendors and even insurance companies have neglected EHR security over the past decade. As a result, patient data is now at risk as hospitals are becoming lucrative targets for hackers. Most of us know that our financial information should be kept secure and private.
But few of us realize how valuable our health data really is. You can easily protect credit cards by changing passwords or the PIN number after which they become useless to hackers. But your patient records have a lifetime of medical history attached to them. That record also has your Social Security number, home address, family relationships etc. It’s no wonder that health information commands a high premium in the underground market for stolen data.
The Problem of EHR Security
Hospitals and vendors have mostly focused on interoperability, allowing easy sharing of data between trusted entities and other features of EHRs. Security has been relegated to the back burner – partly because no one realized the urgency and partly because it is expensive. Building security into software systems is a complex endeavor and requires talented developers. The healthcare industry has not been proactive in attracting IT talent and very few organizations have the cyber security resources like major technology companies like Microsoft or Google.
Although patient data has been the target of hackers for a while now, their methodology and types of attacks have changed. At first their goal was to steal data and sell it on the black market. Now another attack is becoming more common – ransomware. Rather than actually steal the data, hackers prevent hospitals from accessing their own patient files by encrypting them. The organization then has to pay a hefty ransom to receive the key that can be used to unlock the files.
Famous Hacks in 2016
In February, hackers broke into the Hollywood Presbyterian Medical Center’s system. They encrypted patient records and demanded millions of dollars in payment for releasing the key. The hospital had to operate without access to their EHR for a week. Doctors and nurses could not access patient records, x-ray and test results could not be shared and quite a few patients were turned away to other hospitals for treatment. Such ransom that attacks are becoming more common as hackers figure out that hospitals are willing to pay to get access back for crucial patient information.
Premier Healthcare reported a possible data breach in March when a laptop containing patient information was stolen from their offices. While the actual patient data might not have been the target, it illustrates how easy it is for clinics to lose patient records. Although the laptop had a password, the data was not encrypted. The lack of encryption may come as a surprise to IT professionals but it is distressingly common in the healthcare industry.
Hospitals and clinics are not the only targets either. Hackers are also looking at compromising other entities that provide services to healthcare organizations. In August, Newkirk Products – an issuer of ID cards for insurers – was breached. The stolen information included birthdates, dependents, type of insurance plan, Medicaid ID etc.
So far, hospitals have resisted using public clouds because of the perceived lack of control. Now they are slowly realizing that they may lack the capabilities to protect their data and it is better entrusted to companies that know security best.