The frightening new frontier for hackers: Medical records
Skip to main content
MDHC_Logotype_white
Subscribe
  • My Account
  • Login
  • Subscribe
  • News
    • This Week's News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • People
    • Regional News
    • Digital Edition
    • Joe Biden
      Revamp of the nation's vaccination effort may not be enough
      A man in a room with servers.
      Momentum grows to outsource hospital tech functions in 2021
      Firefighter walking towards forest fire.
      Wildfires producing more harmful pollution
      Dr. Bruce Siegel
      By protecting the healthcare safety net, Biden can put us on the path to a stronger country
    • Dr. Bruce Siegel
      By protecting the healthcare safety net, Biden can put us on the path to a stronger country
      Joe Biden
      Revamp of the nation's vaccination effort may not be enough
      COVID-19 hastens hospitals' revenue cycle outsourcing moves
      Operation Warp Speed Dr. Moncef Slaoui, Pfizer Group President Angela Hwang, Moderna CEO Stephane Bancel, CVS Health Executive Vice President Karen Lynch and McKesson CEO Brian Tyler participate in a panel discussion on the COVID-19 vaccine.
      Hospitals, drug companies strive to stand out virtually at JPM
    • The Check Up: Trenda Ray
      The Check Up: Trenda Ray of the University of Arkansas for Medical Sciences
      Trenda Ray
      Q&A: Arkansas nursing leader looking for creative staffing solutions as COVID cases surge
      Cook Lydia 4x6_i.jpg
      Northeast Ohio health systems increase community benefit values in 2019
      Vaccine rollout hits snag as health workers balk at shots
    • CMS approves rule forcing insurers to ease prior authorization
      COVID-19 still a big uncertainty for insurers in 2021
      Health insurers' outlook boosted after Dems' Georgia win
      humana_i.jpg
      Humana supports Ohio not-for-profits with $500,000
    • Joe Biden
      Revamp of the nation's vaccination effort may not be enough
      CMS will raise Medicare Advantage plan payments by 4.08% in 2022
      CMS approves rule forcing insurers to ease prior authorization
    • Operation Warp Speed Dr. Moncef Slaoui, Pfizer Group President Angela Hwang, Moderna CEO Stephane Bancel, CVS Health Executive Vice President Karen Lynch and McKesson CEO Brian Tyler participate in a panel discussion on the COVID-19 vaccine.
      Hospitals, drug companies strive to stand out virtually at JPM
      Intermountain, Trinity, Memorial Hermann behind $300M private equity fund
      Operation Warp Speed to bump up McKesson's stock price
      Reporter's notebook: J.P. Morgan's 2021 health conference
    • A man in a room with servers.
      Momentum grows to outsource hospital tech functions in 2021
      5 things to know about Google's $2.1B Fitbit acquisition
      Providence bets on machine-learning, consolidating data centers
      Mental health treatment was most common telehealth service during COVID
    • Sticking to Mediterranean diet is good for the brain
      Chance of COVID-19 triage care looms over Arizona hospitals
      U.S. ramps up vaccinations to get doses to more Americans
      367146427.jpg
      Should businesses mandate that staff get the COVID vaccine?
    • Cone Health CEO, CFO to depart amid pending Sentara merger
      Tower Health's finance chief resigning after years of steep losses
      AHRQ director Gopal Khanna resigns in response to Capitol riot
      Brigham president stepping down after Moderna controversy
    • Midwest
    • Northeast
    • South
    • West
  • Insights
    • ACA 10 Years After
    • Best Practices
    • InDepth Special Reports
    • Innovations
    • The Affordable Care Act after 10 years
    • New care model helps primary-care practices treat obesity
      doctor with patient
      COVID-19 treatment protocol developed in the field helps patients recover
      Rachel Wyatt
      Project to curb pressure injuries in hospitals shows promise
      Yale New Haven's COVID-19 nurse-staffing model has long-term benefits
    • Michellene Davis
      Healthcare leadership lacks the racial diversity needed to reduce health disparities
      Dr. James Hildreth
      How medical education can help fight racism
      Modern Healthcare InDepth: Breaking the bias that impedes better healthcare
      Videos: Healthcare industry executives describe their encounters with racism
      Quotes from rebadged employees
      Outsourcing IT, revenue cycle takes toll on internal culture
    • A woman with a wearable sensor talking to her provider.
      Wearable sensors help diagnose heart rhythm problems in West Virginia
      self service station
      COVID-19 pushes patient expectations toward self-service
      Targeting high-risk cancer patients with genetics
      A nurse holds up a phone with a message to a family member saying surgery has started.
      Texting, tablets help hospitals keep family updated on patient care
  • Transformation
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Highmark Health inks six-year cloud, tech deal with Google
      Study: 1 in 5 patients report discrimination when getting healthcare
      HHS proposes changing HIPAA privacy rules
      Android health records app launches at 230 health systems
    • California hospitals prepare ethical protocol to prioritize lifesaving care
      Amazon, JPMorgan Chase, Berkshire Hathaway disband Haven
      Digital pathways poised to reshape healthcare continuum in 2021
      Healthcare was the hardest hit by supply shortages across all U.S. industries
    • A woman with a wearable sensor talking to her provider.
      Wearable sensors help diagnose heart rhythm problems in West Virginia
      New care model helps primary-care practices treat obesity
      How hospitals are building on COVID-19 telehealth momentum
      Researchers: Hospital price variation exacerbates health inequities
    • MedPAC votes to boost hospital payments, freeze or cut other providers
      Most Next Gen ACOs achieved bonuses in 2019
      Congress recalibrates Medicare Physician Fee Schedule after lobbying
      CMS approves rule to encourage value-based drug pricing
  • Data/Lists
    • Rankings/Lists
    • Interactive Databases
    • Data Points
    • Health Systems Financials
      Executive Compensation
      Physician Compensation
  • Op-Ed
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
    • Wellstar CEO calls adapting for the pandemic her bold move
      Howard P. Kern
      Recognizing the value of telehealth in its infancy
      Dr. Stephen Markovich
      A bold move helped take him from family doctor to OhioHealth CEO
      Dr. Bruce Siegel
      Why taking a hospital not-for-profit was Dr. Bruce Siegel’s boldest move
    • Barry Ostrowsky
      Ending racism is a journey taken together; the starting point must be now
      Laura Lee Hall and Gary Puckrein
      Increased flu vaccination has never been more important for communities of color
      John Daniels Jr.
      Health equity: Making the journey from buzzword to reality
      Mark C. Clement and David Cook
      We all need to 'do something' to fight inequities and get healthcare right, for every patient, every time
    • Dr. Bruce Siegel
      By protecting the healthcare safety net, Biden can put us on the path to a stronger country
      Healing healthcare: some ideas for triage by the new Congress, administration
      Dr. Sachin H. Jain
      Medicare for All? The better route to universal coverage would be Medicare Advantage for All
      Connectivity: a social determinant of health that can exacerbate all the others
    • Letters: Eliminating bias in healthcare needs to be ‘deliberate and organic’
      Letters: Maybe dropping out of ACOs is a good thing for patients
      Letters: White House and Congress share blame for lack of national COVID strategy
      Letters: VA making strides to improve state veterans home inspections
    • Sponsored Content Provided By Optum
      How blockchain could ease frustration with the payment process
      Sponsored Content Provided By Optum
      Three steps to better data-sharing for payer and provider CIOs
      Sponsored Content Provided By Optum
      Reduce total cost of care: 6 reasons why providers and payers should tackle the challenge together
      Sponsored Content Provided By Optum
      Why CIOs went from back-office operators to mission-critical innovators
  • Awards
    • Award Programs
    • Nominate
    • Previous Award Programs
    • Other Award Programs
    • Best Places to Work in Healthcare Logo for Navigation
      Nominations Open - Best Places to Work in Healthcare
      Nominations Open - Health Care Hall of Fame
      Nominations Open - 50 Most Influential Clinical Executives
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Top 25 Minority Leaders
    • Top 25 Women Leaders
    • Excellence in Nursing Awards
    • Design Awards
    • Top 25 COOs in Healthcare
    • 100 Top Hospitals
    • ACHE Awards
  • Events
    • Conferences
    • Galas
    • Webinars
    • COVID-19 Event Tracker
    • Leadership Symposium
    • Healthcare Transformation Summit
    • Women Leaders in Healthcare Conference
    • Workplace of the Future Conference
    • Strategic Marketing Conference
    • Social Determinants of Health Symposium
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Minority Leaders Gala (2022)
    • Top 25 Women Leaders Gala
  • Listen
    • Podcast - Next Up
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
    • Carter Dredge
      Next Up Podcast: Ready, set, innovate! Innovation and disruption in healthcare
      Next Up Podcast: COVID-19, social determinants highlight health inequities — what next?
      Next Up Podcast: Saving Rural Health
      Ceci Connolly
      Next Up Podcast: How to navigate the murky post-election waters
    • An older man wearing a mask receiving a vaccine.
      Beyond the Byline: Verifying information on the chaotic COVID-19 vaccine rollout
      doctor burnout
      Beyond the Byline: How healthcare supply chain struggles contribute to employee burnout
      Beyond the Byline: Covering race and diversity in the healthcare industry
      Beyond the Byline: How telehealth utilization has impacted investor-owned company earnings
    • Leading intention promote diversity and inclusion
      Introducing Healthcare Insider Podcast
    • The Check Up: Trenda Ray
      The Check Up: Trenda Ray of the University of Arkansas for Medical Sciences
      The Check Up: Dr. Kenneth Davis
      The Check Up: Dr. Kenneth Davis of Mount Sinai Health System
      The Check Up: Dr. Thomas McGinn
      The Check Up: Dr. Thomas McGinn of CommonSpirit Health
      The Check Up: Mark Ganz
      The Check Up: Mark Ganz of Cambia Health Solutions
    • Video: Ivana Naeymi Rad of Intelligent Medical Objects
  • MORE +
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Technology
April 10, 2017 01:00 AM

The frightening new frontier for hackers: Medical records

Brigid Sweeney, Crain's Chicago Business
  • Tweet
  • Share
  • Share
  • Email
  • More
    Print

    If you've ever had your credit card or bank account hacked, consider this grim new statistic: By 2024, everyone in the U.S. will have had their health care data compromised if online theft keeps accelerating at the current pace.

    As health records have gone digital in the past seven years, they've become far more vulnerable to poaching—and far more valuable to thieves, who can sell a complete medical record for more than $1,000 on the darknet. That's because the records contain not just your insurance info—which can be used for fraudulent billing and prescriptions—but also Social Security, driver's license and credit card numbers. As a result, the health care industry is scrambling to play catch-up to secure patient and hospital data.

    Health care has lagged far behind banking, financial services and retail when it comes to implementing security protocols. Until Obamacare mandated electronic records, many medical providers still operated with paper, faxes and handwritten charts. Once electronic systems were finally implemented, the industry struggled to attract top IT talent to protect them.

    The access issues are industry-specific. "Security in health care has some unique challenges because we have to share data in ​ order to save lives while also protecting patient information," says Steven Smith, chief information officer at Evanston-based NorthShore University HealthSystem. "If you think of a bank, your financial information is locked up and not shared. But we need to share our data with our doctors, nurses and outside payers, as well as with the patients themselves."

    IT security experts say it's tough to overstate the enormity and frequency of the threats, which have skyrocketed in the past decade as everything has become exponentially more networked. "Let's put it this way: I'm currently on-site with a client, dealing with a breach," says Mick Coady, a partner in PwC's Health Information Privacy & Security practice in Austin, Texas, who works with major health care clients across the country.

    So far in 2017, 79 security breaches, each affecting at least 500 patients, have been reported to the U.S. Health & Human Services Department. That's more than five incidents a week. Only one, involving Walgreens Boots Alliance and 4,500 records, took place in Illinois. Still, the state has experienced nearly 100 incidents since 2010, according to the HHS breach portal, known as the "Wall of Shame" to security professionals.

    Major hospital systems here are beginning to pay the price as HHS levies fines on providers who have lost sensitive patient data. In January, Chicago's Presence Health agreed to pay $475,000 to HHS for failing to report in a timely manner a 2013 breach involving missing paper schedules containing patient information. Presence is "working diligently" on a corrective plan, including additional security training for staff, a spokesman says.

    That figure pales in comparison to the $5.5 million shelled out by Advocate Health Care in August. The Downers Grove-based hospital network agreed to pay HHS the largest settlement ever by a single entity for potential violations of federal patient privacy law related to three separate 2013 breaches that compromised the data of 4 million people. Two of the incidents involved stolen employee laptops, while a third involved a consultant's potentially unauthorized access to patient records. Since then, Advocate has "enhanced (its) data encryption measures," says a spokeswoman, adding that there's been no indication the information was misused.

    Nationwide, IT breaches cost the industry more than $6 billion annually—a number that grows each year, according to the Ponemon Institute, an IT security researcher.

    Hospitals and physicians' practices make enticing targets. For starters, the protections are lax. "Based on our testing, health care applications performed more poorly on just about every (security) measure than applications in any other industry," says Tim Jarrett, a senior director of product marketing at Veracode, a Boston software security firm.

    Then there's the industry's personnel problem. "The U.S. has a huge shortage of highly qualified cybersecurity people across all industries," says Rod Piechowski, a senior director at the Healthcare Information & Management Systems Society, or HIMSS, a Chicago-based nonprofit with more than 50,000 members. "Being late to the game, health care just can't compete."

    Although they're in high demand, IT professionals in health care historically have not had a major say in their employers' procurement process, unlike in other industries, according to Jarrett. Until recently, security wasn't prioritized the way it was in finance or banking, and, as a result, network administrators couldn't effectively lobby manufacturers to increase software security standards, so they often ended up overseeing systems that are tough to keep safe.

    Plus, it's not just computer and billing systems that are vulnerable. Medical devices from insulin pumps to pacemakers store information wirelessly. Several years ago, former Vice President Dick Cheney revealed that, while he was in office, his doctors had disabled his heart implant's wireless connection because of a fear of assassination attempts. More recently, Johnson & Johnson warned customers about a security problem with one of its insulin pumps.

    Some medical devices aren't made to allow any remote management, which prevents IT people from detecting problems and installing updates efficiently. Once tech teams are saddled with subpar systems, they're really stuck—because medical equipment tends to have a much longer life cycle than consumer electronics. Jarrett says he knows of one Midwestern drug company where computers that prepare prescriptions​ for patients use Windows XP, a 16-year-old operating system that stopped being supported in 2014. "That's horrifying," he says.

    Shadow IT systems

    Compounding the issue, some physicians, frustrated by clunky systems and compelled to find quick workarounds in the name of patient care, have created ad hoc "shadow IT" systems that rely on insecure methods like texts or unencrypted personal email, according to Coady.

    As health care systems struggle to secure their data, increasingly sophisticated thieves have more reasons to steal it. Because the records include so much information, thieves can falsify insurance claims and collect checks, get tens or hundreds of thousands of dollars of free care on someone else's insurance (which might affect the real policyholder's coverage limits), and falsify driver's licenses to illegally get prescriptions. "The fraud that can be executed against payers is incredible," Coady says.

    Hackers have also been known to attempt extortion. In late 2014, Clay County Hospital, an 18-bed facility in downstate Flora, received an anonymous message saying that more than 12,000 patient files would be released unless it paid thousands of dollars. Administrators instead contacted the FBI—but other hospitals, including Hollywood Presbyterian Medical Center in Los Angeles, have paid thousands of dollars in similar situations.

    Most Chicago hospital systems are reluctant to discuss their security efforts beyond confirming that they've invested lots of time and money. ("If you go out publicly and say, 'We just made major upgrades and have the best cybersecurity in the world,' you've just made yourself a major target," explains Piechowski, the HIMSS executive.)

    But they acknowledge the pressing issue. "The Cook County Health & Hospitals System has invested considerable financial and human resources into ensuring the highest level of security possible," Donna Hart, the system's chief information officer, says in a statement. "The security of our systems is one of our highest priorities."

    Smith, NorthShore's CIO, says security has been his employer's top priority for years—but acknowledges that the threats continue to proliferate. "They're definitely increasing in volume and in sophistication," he says. "This is not a matter of someone sitting in their garage trying to hack your system."

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Momentum grows to outsource hospital tech functions in 2021
    Momentum grows to outsource hospital tech functions in 2021
    5 things to know about Google's $2.1B Fitbit acquisition
    5 things to know about Google's $2.1B Fitbit acquisition
    Sponsored Content
    Get Free Newsletters

    Sign up for free enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today

    The weekly magazine, websites, research and databases provide a powerful and all-encompassing industry presence. We help you make informed business decisions and lead your organizations to success.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS
    • Instagram

    Stay Connected

    Join the conversation with Modern Healthcare through our social media pages

    MDHC_Logotype_white
    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2021. Crain Communications, Inc. All Rights Reserved.
    • News
      • This Week's News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition
    • Insights
      • ACA 10 Years After
      • Best Practices
      • InDepth Special Reports
      • Innovations
    • Transformation
      • Patients
      • Operations
      • Care Delivery
      • Payment
    • Data/Lists
      • Rankings/Lists
      • Interactive Databases
      • Data Points
    • Op-Ed
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Awards
      • Award Programs
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top 25 Innovators
        • Top 25 Minority Leaders
        • Top 25 Women Leaders
      • Nominate
      • Previous Award Programs
        • Excellence in Nursing Awards
        • Design Awards
        • Top 25 COOs in Healthcare
      • Other Award Programs
        • 100 Top Hospitals
        • ACHE Awards
    • Events
      • Conferences
        • Leadership Symposium
        • Healthcare Transformation Summit
        • Women Leaders in Healthcare Conference
        • Workplace of the Future Conference
        • Strategic Marketing Conference
        • Social Determinants of Health Symposium
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Minority Leaders Gala (2022)
        • Top 25 Women Leaders Gala
      • Webinars
      • COVID-19 Event Tracker
    • Listen
      • Podcast - Next Up
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • MORE +
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing