Electronic health records ripe for theft

by David Pittman, Politico

patient-data-breaches-smAmerica’s medical records systems are flirting with disaster, say the experts who monitor crime in cyberspace. A hack that exposes the medical and financial records of hundreds of thousands of patients is coming, they say — it’s only a matter of when.

As health data become increasingly digital and the use of electronic health records booms, thieves see patient records in a vulnerable health care system as attractive bait, according to experts interviewed by POLITICO. On the black market, a full identity profile contained in a single record can bring as much as $500.

The issue has yet to capture attention on Capitol Hill, which has been slow to act on cybersecurity legislation.

“What I think it’s going to lead to, if it hasn’t already, is an arms race between the criminal element and the people trying to protect health data,” said Robert Wah, president of the American Medical Association and chief medical officer at the health technology firm CSC. “I think the health data stewards are probably a little behind in the race. The criminal elements are incredibly sophisticated.”

The infamous Target breach occurred last year when hackers stole login information through the retailer’s heating and air system. Although experts aren’t sure what a major health care hack would look like, previous data breaches have resulted in identity and financial theft, and health care fraud.

Health care is the Johnny-come-lately to the digital world, trailing banks and retailers with decades of experience in cybersecurity. Most hospitals and doctors have gone from paper to electronic health records in the space of a few years while gobbling up $24 billion in federal incentive money paid out under the 2009 Health Information Technology for Economic and Clinical Health Act.

“Frankly, health care organizations are struggling to keep up with this,” said information security expert Ernie Hood, of the The Advisory Board Co.

Significant breaches are already occurring. Over the course of three days, hackers using a Chinese IP address infiltrated the St. Joseph Health System in Bryan, Texas, and exposed the information of 405,000 individuals, gaining names, address, Social Security numbers, dates of birth and other information.

It was the third-largest health data breach tracked by the federal government.

The L.A. Gay & Lesbian Center reported late last year that hackers attacked its computer systems over a course of two months trying to steal credit card, Social Security and other financial information. About 59,000 clients and former clients were left vulnerable.

While a stolen credit card or Social Security number fetches $1 or less on the black market, a person’s medical information can yield hundreds of times more, according to the World Privacy Forum. Thieves want to hack the data to gain access to health insurance, prescription drugs or just a person’s financial information

The Identify Theft Resource Center — which has identified 353 breaches in 2014 across industries it tracks, says almost half occurred in the health sector. Criminal attacks on health data have doubled since 2000, according to the Ponemon Institute, an industry leader in data security.

Health care is the industry sector least prepared for a cyberattack, according to security ratings firm BitSight Technologies. The industry had the highest volume of threats and the slowest response time, leading the FBI in April to issue a warning to health care providers.

The industry “is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the FBI stated.

Why health care and why now?

The high value of health information makes it attractive to hackers.

A credit card can be canceled within hours of its theft, but information in a patient’s health record is impossible to undo. The record contains financial records, personal information, medical history, family contacts — enough information to build a full identity.

A patient’s credit card information alone may be easier to hack from an unsuspecting hospital than from a company like Target, Michaels or Neiman Marcus, experts say.

“Criminal elements will go where the money is,” said Wah, who was the first deputy national coordinator in the Office of the National Coordinator for Health IT. “They’re seeking health records not because they’re curious about a celebrity’s blood type or medication lists or health problems. They’re seeking health records because they can do huge financial, fraudulent damage, more so than they can with a credit card number or Social Security number.”

Other health security experts say hospitals’ response to cybersecurity issues has been lackluster, with providers still focused on privacy and confidentiality rather than data terrorists.

Security takes money and expertise to implement and isn’t a glamorous job, since success is measured by something not happening. The health system is still in the process of developing and vetting best practices.

The annual security assessment by the Health Information Management Systems Society showed that about half of surveyed health systems reported spending 3 percent or less of their IT budgets on security. Some 54 percent of the 283 IT security professionals surveyed had tested a data breach response plan, and slightly more than half of hospitals had an IT leader in charge of securing patient data.

Health facilities pay their security staffs less than any other industry, said Stephen Boyer, co-founder of BitSight. “This may be the case of you get what you pay for,” he said.

1 In 10 has had info breached

Nearly 1.84 million people have been victims of medical identity theft, according to a Ponemon report released last year, including 313,000 victims in 2013 — a 19 percent jump from the previous year.

Thieves steal health insurance information to gain medical care for themselves or others. Increasingly, people with fake health ID cards show up for care at emergency departments, or use stolen identities to secure prescription drugs that they resell, according to a white paper from the Medical Identity Fraud Alliance.

An Army reservist who left his insurance card at home while in Iraq had it “borrowed” by his uninsured brother, who used it to pay for thousands of dollars in coverage after a car accident. An elderly man who lost his insurance card discovered it had been stolen after care at an emergency room where he learned that someone else’s allergy to penicillin was on his chart.

The out-of-pocket costs incurred by victims of medical identity theft average more than $18,000, according to the Ponemon report. HIMSS security survey showed that 12 percent of health care organizations have had at least one case of medical identity theft reported by a patient. Many thefts go unreported and even undiscovered.

Since the Department of Health and Human Services began tracking the numbers in 2009, more than 31.6 million individuals — roughly 1 in 10 people in the U.S. — have had their medical records exposed through some sort of hack, theft or unauthorized disclosure. These may not represent the most serious attacks, according to experts at EY, formerly Ernst & Young.

“Threats are far more sophisticated than the breach reporting, which is kind of a trailing indicator,” said Reza Chapman, senior manager of EY’s Health Care Advisory practice. “Some organizations have a little more of a sophisticated threat problem that they may not frankly be aware of.”

It’s difficult to know how stolen information is being used. “Nobody really ever knows unless you reach out to those individuals to see if they were affected,” said Dennis Seymour of Ellumen, which specializes in health care IT.

How the Hill is responding

On Capitol Hill, health industry cybersecurity gets lumped in with the retail, financial and other sectors, says House Intelligence Committee Chairman Mike Rogers (R-Mich.), and the difference between security and privacy becomes obscured.

“Hospitals are not spending a lot of time trying to make that information secure,” Rogers said in an interview. “They’re trying to make sure there isn’t a disclosure, which is absolutely appropriate, but that’s not the same thing that someone on the outside, a hacker, can get in there and steal that information and use it for nefarious purposes.”

Hospitals must proactively set standards for cybersecurity, rather than simply following government privacy rules, which were written in a different time, says Kathy Downing of the American Health Information Management Association.

For more than three years, Rogers has been championing the Cyber Intelligence Sharing and Protection Act, which would encourage the government and industry to share cybersecurity information and best practices. The House has twice passed it, but the issue has been slow to gain traction in the Senate.

Last month, the Senate Homeland Security and Governmental Affairs Committee approved some companion legislation.

HHS, meanwhile, is stepping up with more aggressive enforcement of security breaches. Its Office of Civil Rights, which investigates privacy violations, has levied $10 million in fines in the past year. In May, it fined New York Presbyterian Hospital and Columbia University Medical Center a combined $4.8 million for disclosing the personal health information of 6,800 individuals, including patient status, vital signs, medications and laboratory results.

There has yet to be a massive breach of health information that has captured the public’s attention like last year’s involving retail industry Target. But the AMA’s Wah thinks it’s just a matter of time.

“I believe that we’re not talking about if there’s going to be a big data breach in health care, it’s going to be how many and when,” Wah said. “Because there already are a tremendous number of data breaches that are occurring in health care today.”