Skip to main content
Sister Publication Links
  • ESG: THE NEW IMPERATIVE
Subscribe
  • My Account
  • Login
  • Subscribe
  • News
    • Current News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Digital Health
  • Insights
    • ACA 10 Years After
    • Best Practices
    • Special Reports
    • Innovations
  • Data/Lists
    • Rankings/Lists
    • Interactive Databases
    • Data Points
  • Op-Ed
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Awards
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
    • Women in Healthcare
    • - Luminaries
    • - Top 25 Diversity Leaders
    • - Leaders to Watch
    • - Luminaries
    • - Top 25 Women Leaders
    • - Women to Watch
  • Events
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Custom Media Event: ESG Summit
    • Transformation Summit
    • Women Leaders in Healthcare Conference
    • Social Determinants of Health Symposium
    • Leadership Symposium
    • Health Care Hall of Fame Gala
    • Top 25 Women Leaders Gala
    • Best Places to Work Awards Gala
    • Top 25 Diversity Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Supply Chain Revenue Cycle
    • - Hospital at Home
    • - Workplace of the Future
    • - Strategic Marketing
    • - Virtual Health
  • Listen
    • Podcast - Next Up
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • MORE +
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Providers
March 30, 2016 01:00 AM

Hospital cyberattack highlights healthcare vulnerabilities

Associated Press
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print

    A cyberattack that paralyzed the hospital chain MedStar this week is serving as a fresh reminder of vulnerabilities that exist in systems that protect sensitive patient information.

    That attack came a month after a Los Angeles hospital paid hackers $17,000 to regain control of its computer system and more than a year after intruders broke into a database containing the records of nearly 80 million people maintained by the health insurer Anthem.

    In Anthem's case, only a single password stood between hackers with a stolen employee ID and a chance to plunder the Blue Cross-Blue Shield carrier's database, according to a federal lawsuit filed by customers over the breach.

    Cyber criminals also have staged high-profile attacks in recent years against the federal government, retail chains and the adultery website Ashley Madison, among many other targets. But security experts say health care companies make especially inviting targets for a number of reasons.

    The information they protect is more valuable on the black market than a credit card number stored by a retailer. Health care cybersecurity also can lag behind measures taken in other sectors like banking.

    This can stem in part from a business emphasis on tight budgets and convenience over security. Health care companies also have to deal with an additional headache: Multiple entry points into a system, with security quality varying among clinics, labs, hospitals that may have access.

    Cybersecurity experts note that government guidelines for health care data protection also are light on details and standards. The federal law known as HIPPA tells health care companies when they can disclose a person's records and to whom. It also requires them to protect the information.

    But it doesn't come with a lot of specific mandates for that protection, said Lee Kim, director of privacy and security for the nonprofit Healthcare Information and Management Systems Society.

    Intruders cracked Anthem's database sometime between the end of 2014 and the start of 2015 in a hack that is still under investigation. They gained access to Social Security numbers, birthdates and employment details for customers as far back as 2004, all key ingredients for stealing someone's identity.

    Anthem, the nation's second-largest health insurer, has said that hackers staged a sophisticated attack that evaded multiple layers of security to reach its database. But a lawsuit filed last year by customers who say they were affected by the breach paints Anthem as a ripe target.

    It says the insurer allowed wide employee access to its database and didn't train employees how to handle "phishing" emails, which can bait a recipient into revealing a password.

    Investigators have said they think hackers may have used a phishing scheme to compromise the credentials of several workers.

    A partially redact complaint filed in the litigation also said the company failed to employ common defenses like encryption, which can scramble data and make it useless.

    "Stealing this much data takes time, and there were numerous steps along the way when any company following standard IT security practices would have foiled the hackers," the complaint states.

    An Anthem spokeswoman said the details in the federal lawsuit were merely allegations, and the company could not comment on pending litigation.

    "At Anthem, securing our member, provider and client data is a top priority," spokeswoman Jill Becher said in an email.

    Hackers cracked Anthem's database by stealing the credentials of an employee whose job didn't require access to the database, according to the complaint, which was based in part on a security assessment Anthem commissioned after the breach.

    A failure to restrict access to sensitive information is one of the biggest security weaknesses hackers exploit, said Michael Zweiback, an attorney and former federal prosecutor. Allowing widespread access gives hackers many chances to try to trick a worker into divulging a password.

    "This is something that happens in hospitals, it happens in Fortune 500 companies right now, every day," he said.

    Companies hesitate to restrict access because they want to make it easy for employees to move from network to network and do their jobs, Zweiback said.

    "When security becomes the emphasis, employees start to complain because maybe they don't get access as quickly," he said.

    The lawsuit also states that Anthem only required a single password for those who wanted to get into its database from a remote location. Experts say two-factor authentication is the more common practice. This basically involves an employee entering a user name and password and then a separate password or identification number that can change.

    Only about 10 percent of health insurers use two-factor authentication and encryption to protect data, said Avivah Litan, a cybersecurity analyst for the information technology adviser Gartner. Litan works as a consultant in several sectors, including health care.

    Anthem has said it normally encrypts data it exports, but that practice would not have helped because the hacker used high-level security credentials to get into its system.

    Experts say encryption can be tuned so that even authorized users can view only one person's account or a portion of a record at a time.

    Litan and other consultants say health care companies have started showing more interest in cybersecurity, and top executives of these companies have begun to pay closer attention to it. But Litan hasn't seen the actual investment from these companies yet.

    "I'm sure Anthem has made some changes, but the other ones are waiting until they get budgets, and they won't get budgets until they get breached," she said. "That's just the way it works."

    Anthem has said in regulatory filings that it quickly fixed a security vulnerability it discovered after its breach and has continued to improve security since then.

    Ultimately, no security plan is perfect against a determined hacker, noted John Gunn, vice president for VASCO Data Security. But companies that drop several layers of security between an intruder and sensitive information can convince a hacker to try elsewhere.

    "The more systems that companies put in place, the more attractive other targets are based on what a hacker has to invest and what they will get for it," Gunn said. "Companies make this cost-reward decision, so do hackers."

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Dr. Alex Jahangir
    Q&A with Dr. Alex Jahangir of Vanderbilt Medical Center: 'It really was a big private-public partnership'
    rural-health2_i.png
    Readmissions and rural hospitals
    Sponsored Content
    Modern Healthcare A.M. Newsletter: Sign up to receive a comprehensive weekday morning newsletter designed for busy healthcare executives who need the latest and most important healthcare news and analysis.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Digital Health
    • Insights
      • ACA 10 Years After
      • Best Practices
      • Special Reports
      • Innovations
    • Data/Lists
      • Rankings/Lists
      • Interactive Databases
      • Data Points
    • Op-Ed
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Awards
      • Nominate/Eligibility
      • 100 Most Influential People
      • 50 Most Influential Clinical Executives
      • Best Places to Work in Healthcare
      • Excellence in Governance
      • Health Care Hall of Fame
      • Healthcare Marketing Impact Awards
      • Top 25 Emerging Leaders
      • Top 25 Innovators
      • Diversity in Healthcare
        • - Luminaries
        • - Top 25 Diversity Leaders
        • - Leaders to Watch
      • Women in Healthcare
        • - Luminaries
        • - Top 25 Women Leaders
        • - Women to Watch
    • Events
      • Conferences
        • Transformation Summit
        • Women Leaders in Healthcare Conference
        • Social Determinants of Health Symposium
        • Leadership Symposium
      • Galas
        • Health Care Hall of Fame Gala
        • Top 25 Women Leaders Gala
        • Best Places to Work Awards Gala
        • Top 25 Diversity Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Supply Chain Revenue Cycle
        • - Hospital at Home
        • - Workplace of the Future
        • - Strategic Marketing
        • - Virtual Health
      • Webinars
      • Custom Media Event: ESG Summit
    • Listen
      • Podcast - Next Up
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • MORE +
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing