Research shows the healthcare industry leads others in the U.S. in cybersecurity intrusions, with a ransomware attack on three Alabama hospitals on Tuesday as the latest example. Photo by Christopher Schirner/Flickr
Oct. 2 (UPI) -- A crippling ransomware attack on multiple Alabama hospitals emphasizes a growing concern about healthcare computer system vulnerabilities that threaten privacy, as well as the general availability of services.
Researchers reported last week in the Annals of American Medicine that more than 70 percent of hospital data breaches include sensitive demographic or financial information that could leave patients vulnerable to identity theft.
Healthcare-related cybersecurity breaches accounted for over a quarter of the more than 750 data breaches reported nationwide in 2018, and healthcare led all industries in breaches last year, according to a report from global law firm BakerHostetler.
"The major story we heard from victims was how compromised, sensitive information caused financial or reputation loss," John Jiang, a researcher at Michigan State University and lead author of the study, said of the new Annals study in a news release.
"A criminal might file a fraudulent tax return or apply for a credit card using the social security number and birth dates leaked from a hospital data breach," he said.
Preventing delivery of services
In the Alabama hospital group, authorities said the hackers locked up computer networks at three hospitals in the state's DCH Health System -- DCH Regional Medical Center in Tuscaloosa, Northport Medical Center and Fayette Medical Center -- forcing ambulances to be rerouted as hospital administrators grappled with the problem.
Hospital staff was also unable to access medical records or admit new patients, which is why it was rerouting ambulances, though officials said they activated emergency procedures and were able to continue caring for patients.
In the case of ransomware attacks, such as the kind afflicting Alabama's DCH, hackers implant malicious computer code that takes control of the the system, agreeing to free the data only when a ransom is paid.
But the DCH attack is merely the latest in a troubling string of hospital data breaches plaguing the healthcare field in recent years.
Healthcare breaches are widespread
The new study in Annals, authored by researchers at both Michigan State and Johns Hopkins, analyzed nearly 1,500 health information breaches over the past decade, showing that each breach included at least one piece of demographic information, such as names, email addresses, or other personal identifiers. Two percent of the breaches included sensitive medical info, compromising the private health information of 2.4 million patients.
"Hospitals are a prime target for threat actors as patients' protected health information can easily be sold on the dark web and used to commit fraud, access medical care in the victims' name, and used in highly targeted phishing attacks," Ben Goodman, a senior vice president at the San Francisco-based identity and access management firm ForgeRock Inc., told Silicon Angle earlier this year.
"[Patient Health Information] also has a much longer shelf life compared to other types of data, like credit cards which can be easily canceled and rendered useless," he added.
Industry already distrusted by consumers
The new study in Annals is further bad news for the reputation of the healthcare industry, coming in the wake of a recently published survey from the Harvard T.H. Chan School of Public Health, which showed that Americans have a distinct distrust of healthcare institutions when it comes to keeping personal data safe.
Fewer than 20 percent of respondents said they had a great deal of trust in health insurers to secure their personal data, while fewer than 25 percent showed a great deal of trust in hospitals to do the same. And just over a third showed a great deal of trust in their doctor's offices.
The Annals study shows that, of the 1,461 health data breaches occurring between October 2009 and July 2019, a total of 944 breaches -- or 65 percent -- resulted in compromises to patient medical records. Of those, 22 cases involved sensitive information regarding HIV, STDs, mental health or cancer.
"Without understanding what the enemy wants, we cannot win the battle," said Ge Bai, an associate professor of accounting at Johns Hopkins Carey Business School and Bloomberg School of Public Health and study co-author.
"By knowing the specific information hackers are after, we can ramp up efforts to protect patient information," he said.
In 2018 alone, a combined total of nearly 300 breaches exposed the records of 11.5 million patients, and a single cybersecurity breach in 2019 compromised the personal data of nearly 20 million patients through laboratory service providers Quest Diagnostics and LabCorp.
The BakerHostetler report named phishing attacks as the leading cause of data breaches in 2018, accounting for 37 percent across all industries. Network intrusions were in second place at 30 percent, with unpatched servers and remote desktop connections providing points of vulnerability.
Among healthcare organizations, an average of 36 days elapsed between the time of the initial access and the time of detection. Another tens days was the average time required to contain a breach.
The Department of Health and Human Services currently requires medical providers to report any data breaches affecting 500 or more people, with hefty fines imposed in the case of HIPAA privacy violations.
In June of 2018, a federal judge upheld a $4.3 million fine against the University of Texas MD Anderson Cancer Clinic resulting from data breaches that compromised the health data of more than 33,000 people. In October, health insurer Anthem agreed to pay penalties of $16 million relating to a series of targeted cyberattacks that exposed the private health info of 79 million members - the largest fine HIPAA fine ever levied.
Improving healthcare without sacrificing security
Though data security is clearly a problem across many sections of the healthcare landscape, the Trump administration continues to push for unfettered information sharing between healthcare entities.
"For far too long, electronic health information has been stuck in silos and inaccessible for healthcare consumers," CMS Administrator Seema Verna said in February. "Our proposals help break down existing barriers to important data exchange needed to empower patients by giving them access to their health data."
"We ask that members of the healthcare system join forces to provide patients with safe secure access to, and control over, their healthcare data," Verma said.
The Annals report emphasized concerns over striking a proper balance between data sharing and patient privacy.
"Considering the fundamental tradeoff between data access and data security, it is critical to limit the risk for protected health information breaches," they wrote.