If you've ever had your credit card or bank account hacked, consider this grim new statistic: By 2024, everyone in the U.S. will have had their health care data compromised if online theft keeps accelerating at the current pace.
As health records have gone digital in the past seven years, they've become far more vulnerable to poaching—and far more valuable to thieves, who can sell a complete medical record for more than $1,000 on the darknet. That's because the records contain not just your insurance info—which can be used for fraudulent billing and prescriptions—but also Social Security, driver's license and credit card numbers. As a result, the health care industry is scrambling to play catch-up to secure patient and hospital data.
Health care has lagged far behind banking, financial services and retail when it comes to implementing security protocols. Until Obamacare mandated electronic records, many medical providers still operated with paper, faxes and handwritten charts. Once electronic systems were finally implemented, the industry struggled to attract top IT talent to protect them.
The access issues are industry-specific. "Security in health care has some unique challenges because we have to share data in order to save lives while also protecting patient information," says Steven Smith, chief information officer at Evanston-based NorthShore University HealthSystem. "If you think of a bank, your financial information is locked up and not shared. But we need to share our data with our doctors, nurses and outside payers, as well as with the patients themselves."
IT security experts say it's tough to overstate the enormity and frequency of the threats, which have skyrocketed in the past decade as everything has become exponentially more networked. "Let's put it this way: I'm currently on-site with a client, dealing with a breach," says Mick Coady, a partner in PwC's Health Information Privacy & Security practice in Austin, Texas, who works with major health care clients across the country.
So far in 2017, 79 security breaches, each affecting at least 500 patients, have been reported to the U.S. Health & Human Services Department. That's more than five incidents a week. Only one, involving Walgreens Boots Alliance and 4,500 records, took place in Illinois. Still, the state has experienced nearly 100 incidents since 2010, according to the HHS breach portal, known as the "Wall of Shame" to security professionals.
Major hospital systems here are beginning to pay the price as HHS levies fines on providers who have lost sensitive patient data. In January, Chicago's Presence Health agreed to pay $475,000 to HHS for failing to report in a timely manner a 2013 breach involving missing paper schedules containing patient information. Presence is "working diligently" on a corrective plan, including additional security training for staff, a spokesman says.
That figure pales in comparison to the $5.5 million shelled out by Advocate Health Care in August. The Downers Grove-based hospital network agreed to pay HHS the largest settlement ever by a single entity for potential violations of federal patient privacy law related to three separate 2013 breaches that compromised the data of 4 million people. Two of the incidents involved stolen employee laptops, while a third involved a consultant's potentially unauthorized access to patient records. Since then, Advocate has "enhanced (its) data encryption measures," says a spokeswoman, adding that there's been no indication the information was misused.
Nationwide, IT breaches cost the industry more than $6 billion annually—a number that grows each year, according to the Ponemon Institute, an IT security researcher.
Hospitals and physicians' practices make enticing targets. For starters, the protections are lax. "Based on our testing, health care applications performed more poorly on just about every (security) measure than applications in any other industry," says Tim Jarrett, a senior director of product marketing at Veracode, a Boston software security firm.
Then there's the industry's personnel problem. "The U.S. has a huge shortage of highly qualified cybersecurity people across all industries," says Rod Piechowski, a senior director at the Healthcare Information & Management Systems Society, or HIMSS, a Chicago-based nonprofit with more than 50,000 members. "Being late to the game, health care just can't compete."
Although they're in high demand, IT professionals in health care historically have not had a major say in their employers' procurement process, unlike in other industries, according to Jarrett. Until recently, security wasn't prioritized the way it was in finance or banking, and, as a result, network administrators couldn't effectively lobby manufacturers to increase software security standards, so they often ended up overseeing systems that are tough to keep safe.
Plus, it's not just computer and billing systems that are vulnerable. Medical devices from insulin pumps to pacemakers store information wirelessly. Several years ago, former Vice President Dick Cheney revealed that, while he was in office, his doctors had disabled his heart implant's wireless connection because of a fear of assassination attempts. More recently, Johnson & Johnson warned customers about a security problem with one of its insulin pumps.
Some medical devices aren't made to allow any remote management, which prevents IT people from detecting problems and installing updates efficiently. Once tech teams are saddled with subpar systems, they're really stuck—because medical equipment tends to have a much longer life cycle than consumer electronics. Jarrett says he knows of one Midwestern drug company where computers that prepare prescriptions for patients use Windows XP, a 16-year-old operating system that stopped being supported in 2014. "That's horrifying," he says.