Blog: Because that's where the data are

1 pm, Aug. 31

It was d�j� vu for data security expert Michael "Mac" McMillan when he heard a hacker had tried to extort money from an Illinois medical group whose patient records and e-mail messages the intruder had accessed and encrypted.

"This is classic," McMillian said. "We saw this countless times in the 1990s with community banks. They would get access to the accounts with people's data and send the bank director a ransom note."

McMillan is the founder and CEO of CynergisTek, an Austin, Texas-based security consulting firm serving the healthcare industry.

He hasn't heard of another incidence in the healthcare industry in which encryption was used to hold a provider's data hostage—at least not yet—but "it doesn't surprise me that it's happened," he said.

When other industries computerized their business processes, security trailed, McMillan said. "They all went through these phases, where the big guys at the top did it first and the little guys dragged their feet."

In healthcare, "with all this digitization and data-sharing, you become more and more vulnerable to threats from the Internet," he said.

The hack job on the computer system of three surgeons in Libertyville, Ill., a northwest suburb of Chicago, was discovered in June but wasn't publicly revealed until recently. The investigation was turned over to the Secret Service—an agency most widely known for its work protecting the U.S. president, but that possesses other skills, too.

"The Secret Service is the organization within the federal government that has executive agency over computer security crimes," McMillan said. "Typically, when they get involved, there is some form of interstate extortion or threat or something big that can cross state lines or international boundaries."

And the Secret Service could be called the Secretive Service in this case. They've not returned multiple phone calls I've made asking for more information about the breach.

Since the physicians' e-mails were compromised along with their EHR, it's likely both systems were on the same office computer, McMillan hypothesized.

That's not smart, but it's also no surprise.

"Small outfits might have one file server that is its mail server," McMillan said. "We've seen situations where the firewall is on the same server. That makes it easy for these guys to do what they did. They got on the box and got root access and they probably encrypted the whole box."

Once in, the hackers may have learned the physicians weren't vigilant about backing up their data, which may have triggered the extortion demand.

"If these guys had everything backed up correctly, the ransom wouldn't have had nearly the effect," McMillan said. The breach would have cost them a server, he said, but they would have been able to download copies of their records from their back-up files and been right back in business.

So, how did the community banks address the data hostage problem?

“They got smarter and started encrypting things," McMillan said. "Then you started seeing community banks having the same level of security as the big banks."

Like it or not, encryption is coming to the healthcare industry. Might as well just get on with it.

Follow Joseph Conn on Twitter: @MHJConn.