The frightening new frontier for hackers: Medical records
Skip to main content
MDHC_Logotype_white
Subscribe
  • My Account
  • Login
  • Subscribe
  • News
    • This Week's News
    • COVID-19
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • People
    • Regional News
    • Digital Edition
    • Lawmakers seek long-term limit on governors' emergency power
      NIH aims to address COVID testing disparities in underserved communities
      Diabetes patients at high risk from COVID-19 are managing conditions more effectively
      Some GOP-led states target abortions done through medication
    • Lawmakers seek long-term limit on governors' emergency power
      NIH aims to address COVID testing disparities in underserved communities
      Diabetes patients at high risk from COVID-19 are managing conditions more effectively
      More Black Americans open to vaccines after outreach efforts
    • Calls mount for Biden to track U.S. healthcare worker deaths from COVID
      Front-line workers want more assistance after a year of COVID-19
      Healthcare providers enter Philadelphia's legal fight to enact gun laws
      Taking population health expertise to the market
    • Cigna and Oscar expand their small business partnership
      5 things to know about Agilon Health's proposed IPO
      More than a half million Americans gain coverage under Biden
      Insurance auto-retention policies could halve number of people kicked off coverage
    • Lawmakers seek long-term limit on governors' emergency power
      Reforms follow deadly year in New York nursing homes
      MACPAC approves recommendations on specialty drugs, behavioral health
      No region in the world spared as virus cases, deaths surge
    • Outgoing UHS chief made almost 50% less in 2020 than 2019
      A hundred dollar bill cut into strips with a colorful background.
      Population health still at odds with fee-for-service
      Private equity could increase long-term Medicare spending, MedPAC says
      Jeb Bush, Marilyn Tavenner getting in on healthcare SPAC frenzy
    • Healthcare data breaches
      By the Numbers: National health information service providers
      Health systems are navigating the digital divide and vaccine access
      woman doctor shaking hands with nurse and smiling
      Sponsored Content Provided By Philips
      A stronger healthcare system requires bold new ways of working together
    • More Black Americans open to vaccines after outreach efforts
      Fight against STDs lost amid coronavirus testing blitz
      Beyond the Byline: Kids' unchecked mental health needs pose long-term consequences
      Hospitals vary widely in reducing C-section rates, but some progress in other maternal health metrics
    • Novant Health adds chief payor performance officer
      Kaiser Permanente names Comer chief IT officer
      Mass General Hospital's Slavin to retire as CEO
      UnitedHealthcare names Thompson as new CEO
    • Midwest
    • Northeast
    • South
    • West
  • Insights
    • ACA 10 Years After
    • Best Practices
    • Special Reports
    • Innovations
    • The Affordable Care Act after 10 years
    • A close-up of a woman receiving a COVID-19 vaccine.
      Providers in underserved communities work toward equitable vaccine distribution
      Josh Bradshaw
      How one rural Illinois county vaccinated 84% of its senior citizens by early March
      Dr. John Fischer
      Patient-reported outcomes tool for hernia surgery helps physicians improve care
      New care model helps primary-care practices treat obesity
    • A family photo of the the Hangens.
      Stressing the already burdened pediatric behavioral health system
      Jennifer Pannone and her daughter Victoria.
      Mental health access for children needs attention
      What's next for on-demand telehealth companies?
      A CalOptima PACE vaccination clinic.
      Will COVID-19 be the catalyst for creating a more sustainable healthcare system?
    • Ryan McGinnis
      Finding efficiencies in the OR using tech
      Dr. Daniel Hall
      UPMC pilots machine learning, telehealth to inform patient transfers
      A woman being recorded using her inhaler on a smartphone.
      Digital check-ins, connected inhalers help control asthma
      A phone screen showing the question, "Mary we hope this information was helpful and we'd like to keep guiding you. Are you interested in knowing when it's your turn to receive the vaccine?"
      Chatbots, texting campaigns help manage influx of COVID vax questions
  • Transformation
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Diabetes patients at high risk from COVID-19 are managing conditions more effectively
      Nearly 1 in 5 Americans skipped care due to cost last year
      COVID-19 long-haulers need holistic treatment, providers say
      Amazon expanding employee clinics into two more states
    • Malpractice premiums peak in 2020, AMA survey shows
      A rendering of a cancer research institute at the University of Southern California that will include 5G.
      Healthcare providers determine how to best use ultrafast 5G
      Two-thirds of largest hospitals aren't complying with price transparency rule
      'Silver lining': Hospitals keep practices born in COVID rush
    • Addressing long-standing barriers needed for mental and physical health integration
      A close-up of a woman receiving a COVID-19 vaccine.
      Providers in underserved communities work toward equitable vaccine distribution
      The waiting room of a Kaiser Permanente clinic at a Target location.
      Health systems revamp their approach to retail clinics
      Josh Bradshaw
      How one rural Illinois county vaccinated 84% of its senior citizens by early March
    • CMS wants to bump pay for hospices, SNFs next year
      CMMI pauses new Direct Contracting model applications
      CMS wants to boost payments over 2% for inpatient rehab, psych facilities
      40 Oregon providers, insurers sign value-based care pact
  • Data/Lists
    • Rankings/Lists
    • Interactive Databases
    • Data Points
    • Health Systems Financials
      Executive Compensation
      Physician Compensation
  • Op-Ed
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
    • Dr. Alan Kaplan
      The risks, rewards of taking organizations 'where they haven’t gone before'
      Wellstar CEO calls adapting for the pandemic her bold move
      Howard P. Kern
      Recognizing the value of telehealth in its infancy
      Dr. Stephen Markovich
      A bold move helped take him from family doctor to OhioHealth CEO
    • Drs. Hal Paz and Joshua J. Joseph
      Mobilized to fight the COVID crisis: a blueprint for community and academic partnerships
      Dr. Stephen Markovich
      Making sure we're aligned along the path to achieving inclusion
      Barry Ostrowsky
      Ending racism is a journey taken together; the starting point must be now
      Laura Lee Hall and Gary Puckrein
      Increased flu vaccination has never been more important for communities of color
    • We're losing engaged providers, and healthcare will pay the price
      Bonnie Castillo and John Welton
      Dueling opinions: The role of mandated nurse staffing ratios
      Dr. Chris DeRienzo
      How COVID-19 broke health systems and made them stronger
      Still crossing the quality chasm: a look at the IOM's seminal report 20 years later
    • Letters: Eliminating bias in healthcare needs to be ‘deliberate and organic’
      Letters: Maybe dropping out of ACOs is a good thing for patients
      Letters: White House and Congress share blame for lack of national COVID strategy
      Letters: VA making strides to improve state veterans home inspections
    • Sponsored Content Provided By Optum
      How blockchain could ease frustration with the payment process
      Sponsored Content Provided By Optum
      Three steps to better data-sharing for payer and provider CIOs
      Sponsored Content Provided By Optum
      Reduce total cost of care: 6 reasons why providers and payers should tackle the challenge together
      Sponsored Content Provided By Optum
      Why CIOs went from back-office operators to mission-critical innovators
  • Awards
    • Award Programs
    • Nominate
    • Previous Award Programs
    • Other Award Programs
    • Voting Open - 50 Most Influential Clinical Executives
      Nominations Open - Top 25 Innovators
      Nominations Open May 24 - Top 25 Emerging Leaders
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Minorities in Healthcare
      • - Luminaries
      • - Top 25 Minority Leaders
      • - Minorities to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Excellence in Nursing Awards
    • Design Awards
    • Top 25 COOs in Healthcare
    • 100 Top Hospitals
    • ACHE Awards
  • Events
    • Conferences
    • Galas
    • Webinars
    • COVID-19 Event Tracker
    • emburse certify modern healthcare custom media webinar logo lockup
      Sponsored Content Provided By Emburse
      Webinar: Making it easy to manage costs
      virtualmed staff modern healthcare custom media logo lockup
      Sponsored Content Provided By VirtualMed Staff
      Webinar: Best practices for creating a successful telepsychiatry program
      telehealth visit man touching neck while speaking to doctor on computer
      Sponsored Content Provided By Accumen
      Webinar: How telehealth has evolved into a standard of care
      modern healthcare custom media and trimedx custom webinar logo lockup
      Sponsored Content Provided By TRIMEDX
      Webinar: Bridging the gap between clinicians and administration to improve capital equipment planning
    • Women Leaders in Healthcare Conference
    • Social Determinants of Health Symposium
    • Healthcare Transformation Summit
    • Leadership Symposium
    • Virtual Briefings
      • - Hospital of the Future
      • - Mental Health
      • - Patient Safety & Quality
      • - Strategic Marketing
      • - Virtual Health
      • - Workplace of the Future
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Minority Leaders Gala
    • Top 25 Women Leaders Gala
  • Listen
    • Podcast - Next Up
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
    • Dr. Chris DeRienzo
      Next Up Podcast: Building team spirit in the wake of COVID-19
      Mikelle Moore
      Next Up Podcast: Mikelle Moore on recognizing all hospital workers during the pandemic
      Empty boardroom
      Next Up Podcast: What's going to happen tomorrow? Succession planning during emergencies
      Next Up Podcast: Educating patients on the COVID-19 vaccine with Tanya Andreadis
    • Beyond the Byline: Kids' unchecked mental health needs pose long-term consequences
      Beyond the Byline: How COVID-19 has impacted hospital finances
      An older man sitting on a hospital bed with his back toward the camera.
      Beyond the Byline: Upcoding could explain why hospitals are increasingly billing for the most complex treatment
      Beyond the Byline: Insurers are betting on virtual-first plans as COVID-19 shifts care pathways
    • James garvert neustar healthcare insider podcast image
      Building on basics
      Healthcare Insider Podcast Episode Art - Premier
      Why Roger Weems and other consultants are leaving the big firms to join Premier
      James garvert neustar healthcare insider podcast image
      Outreach during COVID-19
      ann barnes healthcare insider podcast image
      Leading with intention to promote diversity and inclusion
    • The Check Up: Matt Eyles
      The Check Up: Matt Eyles of AHIP
      The Check Up: Dr. Tom Shanley
      The Check Up: Dr. Tom Shanley of Lurie Children’s Hospital of Chicago
      The Check Up: Dr. Harold Paz
      The Check Up: Dr. Harold Paz of Wexner Medical Center at Ohio State University
      The Check Up: Pat Schou
      The Check Up: Pat Schou of the Illinois Critical Access Hospital Network
    • ivana naeymi-rad one on one intelligent medical objects
      Video: Ivana Naeymi Rad of Intelligent Medical Objects
  • MORE +
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Technology
April 10, 2017 01:00 AM

The frightening new frontier for hackers: Medical records

Brigid Sweeney, Crain's Chicago Business
  • Tweet
  • Share
  • Share
  • Email
  • More
    Print

    If you've ever had your credit card or bank account hacked, consider this grim new statistic: By 2024, everyone in the U.S. will have had their health care data compromised if online theft keeps accelerating at the current pace.

    As health records have gone digital in the past seven years, they've become far more vulnerable to poaching—and far more valuable to thieves, who can sell a complete medical record for more than $1,000 on the darknet. That's because the records contain not just your insurance info—which can be used for fraudulent billing and prescriptions—but also Social Security, driver's license and credit card numbers. As a result, the health care industry is scrambling to play catch-up to secure patient and hospital data.

    Health care has lagged far behind banking, financial services and retail when it comes to implementing security protocols. Until Obamacare mandated electronic records, many medical providers still operated with paper, faxes and handwritten charts. Once electronic systems were finally implemented, the industry struggled to attract top IT talent to protect them.

    The access issues are industry-specific. "Security in health care has some unique challenges because we have to share data in ​ order to save lives while also protecting patient information," says Steven Smith, chief information officer at Evanston-based NorthShore University HealthSystem. "If you think of a bank, your financial information is locked up and not shared. But we need to share our data with our doctors, nurses and outside payers, as well as with the patients themselves."

    IT security experts say it's tough to overstate the enormity and frequency of the threats, which have skyrocketed in the past decade as everything has become exponentially more networked. "Let's put it this way: I'm currently on-site with a client, dealing with a breach," says Mick Coady, a partner in PwC's Health Information Privacy & Security practice in Austin, Texas, who works with major health care clients across the country.

    So far in 2017, 79 security breaches, each affecting at least 500 patients, have been reported to the U.S. Health & Human Services Department. That's more than five incidents a week. Only one, involving Walgreens Boots Alliance and 4,500 records, took place in Illinois. Still, the state has experienced nearly 100 incidents since 2010, according to the HHS breach portal, known as the "Wall of Shame" to security professionals.

    Major hospital systems here are beginning to pay the price as HHS levies fines on providers who have lost sensitive patient data. In January, Chicago's Presence Health agreed to pay $475,000 to HHS for failing to report in a timely manner a 2013 breach involving missing paper schedules containing patient information. Presence is "working diligently" on a corrective plan, including additional security training for staff, a spokesman says.

    That figure pales in comparison to the $5.5 million shelled out by Advocate Health Care in August. The Downers Grove-based hospital network agreed to pay HHS the largest settlement ever by a single entity for potential violations of federal patient privacy law related to three separate 2013 breaches that compromised the data of 4 million people. Two of the incidents involved stolen employee laptops, while a third involved a consultant's potentially unauthorized access to patient records. Since then, Advocate has "enhanced (its) data encryption measures," says a spokeswoman, adding that there's been no indication the information was misused.

    Nationwide, IT breaches cost the industry more than $6 billion annually—a number that grows each year, according to the Ponemon Institute, an IT security researcher.

    Hospitals and physicians' practices make enticing targets. For starters, the protections are lax. "Based on our testing, health care applications performed more poorly on just about every (security) measure than applications in any other industry," says Tim Jarrett, a senior director of product marketing at Veracode, a Boston software security firm.

    Then there's the industry's personnel problem. "The U.S. has a huge shortage of highly qualified cybersecurity people across all industries," says Rod Piechowski, a senior director at the Healthcare Information & Management Systems Society, or HIMSS, a Chicago-based nonprofit with more than 50,000 members. "Being late to the game, health care just can't compete."

    Although they're in high demand, IT professionals in health care historically have not had a major say in their employers' procurement process, unlike in other industries, according to Jarrett. Until recently, security wasn't prioritized the way it was in finance or banking, and, as a result, network administrators couldn't effectively lobby manufacturers to increase software security standards, so they often ended up overseeing systems that are tough to keep safe.

    Plus, it's not just computer and billing systems that are vulnerable. Medical devices from insulin pumps to pacemakers store information wirelessly. Several years ago, former Vice President Dick Cheney revealed that, while he was in office, his doctors had disabled his heart implant's wireless connection because of a fear of assassination attempts. More recently, Johnson & Johnson warned customers about a security problem with one of its insulin pumps.

    Some medical devices aren't made to allow any remote management, which prevents IT people from detecting problems and installing updates efficiently. Once tech teams are saddled with subpar systems, they're really stuck—because medical equipment tends to have a much longer life cycle than consumer electronics. Jarrett says he knows of one Midwestern drug company where computers that prepare prescriptions​ for patients use Windows XP, a 16-year-old operating system that stopped being supported in 2014. "That's horrifying," he says.

    Shadow IT systems

    Compounding the issue, some physicians, frustrated by clunky systems and compelled to find quick workarounds in the name of patient care, have created ad hoc "shadow IT" systems that rely on insecure methods like texts or unencrypted personal email, according to Coady.

    As health care systems struggle to secure their data, increasingly sophisticated thieves have more reasons to steal it. Because the records include so much information, thieves can falsify insurance claims and collect checks, get tens or hundreds of thousands of dollars of free care on someone else's insurance (which might affect the real policyholder's coverage limits), and falsify driver's licenses to illegally get prescriptions. "The fraud that can be executed against payers is incredible," Coady says.

    Hackers have also been known to attempt extortion. In late 2014, Clay County Hospital, an 18-bed facility in downstate Flora, received an anonymous message saying that more than 12,000 patient files would be released unless it paid thousands of dollars. Administrators instead contacted the FBI—but other hospitals, including Hollywood Presbyterian Medical Center in Los Angeles, have paid thousands of dollars in similar situations.

    Most Chicago hospital systems are reluctant to discuss their security efforts beyond confirming that they've invested lots of time and money. ("If you go out publicly and say, 'We just made major upgrades and have the best cybersecurity in the world,' you've just made yourself a major target," explains Piechowski, the HIMSS executive.)

    But they acknowledge the pressing issue. "The Cook County Health & Hospitals System has invested considerable financial and human resources into ensuring the highest level of security possible," Donna Hart, the system's chief information officer, says in a statement. "The security of our systems is one of our highest priorities."

    Smith, NorthShore's CIO, says security has been his employer's top priority for years—but acknowledges that the threats continue to proliferate. "They're definitely increasing in volume and in sophistication," he says. "This is not a matter of someone sitting in their garage trying to hack your system."

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Healthcare data breaches
    Healthcare data breaches
    By the Numbers: National health information service providers
    By the Numbers: National health information service providers
    Sponsored Content
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS
    • Instagram

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    MDHC_Logotype_white
    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2021. Crain Communications, Inc. All Rights Reserved.
    • News
      • This Week's News
      • COVID-19
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition
    • Insights
      • ACA 10 Years After
      • Best Practices
      • Special Reports
      • Innovations
    • Transformation
      • Patients
      • Operations
      • Care Delivery
      • Payment
    • Data/Lists
      • Rankings/Lists
      • Interactive Databases
      • Data Points
    • Op-Ed
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Awards
      • Award Programs
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top 25 Innovators
        • Minorities in Healthcare
          • - Luminaries
          • - Top 25 Minority Leaders
          • - Minorities to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Nominate
      • Previous Award Programs
        • Excellence in Nursing Awards
        • Design Awards
        • Top 25 COOs in Healthcare
      • Other Award Programs
        • 100 Top Hospitals
        • ACHE Awards
    • Events
      • Conferences
        • Women Leaders in Healthcare Conference
        • Social Determinants of Health Symposium
        • Healthcare Transformation Summit
        • Leadership Symposium
        • Virtual Briefings
          • - Hospital of the Future
          • - Mental Health
          • - Patient Safety & Quality
          • - Strategic Marketing
          • - Virtual Health
          • - Workplace of the Future
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Minority Leaders Gala
        • Top 25 Women Leaders Gala
      • Webinars
      • COVID-19 Event Tracker
    • Listen
      • Podcast - Next Up
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • MORE +
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing