Threat increases for health care hacks, hospitals respond

Listen to this article

Maryland cyber security experts are stepping up to protect hospitals, healthcare offices and agencies as stolen medical records are becoming more valuable in today’s economy.

“The bad guys are no longer just trying to hack into the Pentagon, they are trying to attack your medical records and your credit cards,” Michael Ryan, CEO of Annapolis-based South River Technologies, said. “That information is just as critical.”

As such, hospitals must take the need for secure file transfer seriously, Ryan said. Just a few years ago, major healthcare institutions were still relying on non-secure formats like email for file transfers, he said.

South River partners with hospitals and larger medical facilities from all over the world, as well as financial institutions, to make sure data can be shared securely without relying on email. The company’s primary product, Cornerstone MFT, allows doctors and nurses to collaborate in real time on patient files on a secure server.

One rising threat Ryan has seen is a ransomware attack, in which hackers attack a hospital, infect the system and encrypt all the patient information. Hospitals are contacted to pay a ransom in order to that data back – but in some cases, they pay amounts like $40,000 and never regain the data.

Because of that, South River’s product line includes an offsite suppository to mirror data in a HIPAA compliant manner. The company also works with clients to prevent attacks, address threats and stay on top of the latest technology.

A marketplace of its own

Cybercrime has its “own ecosystem now. It’s in its own unique marketplace,” said Jon Burns, senior vice president and chief information officer for the University of Maryland Medical System. “Health care data is ten times the value of credit card data and the value of health care data is greater than what it would have been ten to fifteen years ago.”

Many in the health care industry worry that stolen medical data could be used to perpetrate Medicaid or insurance fraud. Unlike credit card breaches, which are often caught quickly and resolved with the issuance of a new card, medical data breaches are not a one-time event, Burns said. The stolen data could be used repeatedly.

The cost of protecting data, patients and employees has become the new cost of doing business and ongoing one.

“You can’t implement a series of technology and be done,” Burns said.

At University of Maryland Medical Center, prevention includes annual employee training, monthly security council meetings with the cyber team, compliance officers, auditors and physicians, as well as regular consultations with an cyber expert, a former CIA employee. The hospital also has a good relationship with the FBI’s cyber security task force in Baltimore, Burns said.

The hacking threat to health care differs from other industries because health care has so many digital systems and because patients are involved, said Darren Lacey, chief information security officer for Johns Hopkins Hospital. A breach in a manufacturing plant, for example, may not have the impact on people that a hack resulting in stolen medical records would.

Still, Lacey said, hospitals pay more attention to technology than ever before and that is a good thing.

“In terms of overall awareness and visibility, cybersecurity is in so much better shape than it was five years ago, and that’s given me reason to be optimistic,” Lacey said.

Security vs. access

While cyber experts are always thinking about security of data, patients are often thinking more about access. “There’s nobody who’s naturally thinking about the space in between. Sometimes we want data secure and sometimes we want it open and accessible in the case of emergency. Having your data does no good if the physician and the EMS treating you can’t read it,” said Ajay K. Gupta, CEO of the Rockville-based nonprofit, Health Solutions Research, Inc.

In the case of an emergency, patients want first responders and physicians to be able to access secure patient portals, according to a study which HSR presented last year at the Aging in America conference. This kind of access would allow responders to have knowledge of past medical and surgical history, life-threatening allergies or other information that could save the patient’s life.

But how that data would be accessed would vary. HSR has proposed that EMS workers be able to use a person’s fingerprint to access a mobile app. Another solution would be to plug in an emergency code that could be entered into a secure system and perhaps accessible on a medical ID bracelet worn by the patient, Gupta said.

Still, access should not be considered without security, he said, noting that medical records can be used for identity theft, bank account theft or even as fake medical histories for immigration applications.

Cyber in a mobile world

Because today’s medical workforce is increasingly connected through mobile devices, cyber policies and procedures must reflect that, said Gina Abate, president and CEO of Edwards Performance Solutions in Elkridge.

For instance, Edwards recently recommended that a large healthcare agency improve the authentication process for key access points when employees telecommute, and developed a tutorial for employees. Since implementing the process agency-wide in January, there have been no breaches.

“In this day and age it happens to companies of all sizes,” she said. “You need to understand what your cyber risks are and as a business you need to make an educated decision about what risk you can accept and what risks you can take action on.”