California’s health care industry is a data-security laggard, failing to sufficiently protect sensitive information stored on lost or stolen laptops, smartphones and flash drives, according to state Attorney General Kamala Harris.
Meantime, health care faces mounting hacker attacks that put millions of Californians’ personal records at risk, including medical information, as detailed in a report from Harris’ office.
It’s not just personal records. Hackers have begun threatening the basic day-to-day functioning of hospitals and other health care facilities, made vivid by the Feb. 5 ransomware attack on Hollywood Presbyterian Medical Center in Los Angeles.
In that attack, hackers encrypted critical files on the center’s computer system and demanded $17,000 in ransom for the digital key to make them readable again.
In a controversial move, the hospital sent the unidentified hackers the money in a digital currency known as Bitcoin — tough, if not impossible, to trace. Critics said paying the ransom would only invite more attacks, but hospital executives, who noted employees had turned to pen and paper for record keeping, insisted they needed to get the center running again.
“Now that organizations rely increasingly on the collection and use of personal information and criminals take advantage of security weaknesses to obtain and profit from that same information, it is more important than ever that all of us redouble our efforts to ensure that this data does not end up in the wrong hands,” Harris wrote the report, which covers reported data breaches across all industries in California from 2012 to 2015.
Over those years, the number of Californians whose personal records were breached through loss or theft grew from 2.6 million in 2012 to 24 million in 2015, whether at hospitals, insurers, retailers, financial institutions or other places where sensitive data is stores. Health care and insurers played a big role, though: That 24 million includes 10.4 million breached in a hack attack on health insurer Anthem, and 4.5 million in another attack on UCLA Health.
The health sector has improved its use of strong encryption on hardware devices, the report notes, and while those kind of breaches have declined, health care still is “lagging behind other sectors” in securing devices.
But cyberattacks on large databases are growing in all industry sectors, with far more personal records available than might be found on a smartphone.
Cybersecurity challenges in health care aren’t just confined to California — hospitals, insurers, doctors’ offices, pharmacies, and medical device manufacturers all face the possibility of data breaches. A security firm recently reported that its team was able to hack into patient monitors and medicine-delivery systems at hospitals in the Baltimore and Washington, D.C. region.
Health organizations face a unique challenge when it comes to shoring up their cybersecurity, said Dan McWhorter, vice president and chief intelligence strategist at Fire Eye, a cybersecurity firm based in Milpitas.
Health care providers and insurers keep on hand massive amounts of highly sensitive personal medical data as well as financial data. Breaching that data can result in serious violations of privacy, economic harm and even physical harm to patients, if treatment technology is compromised. These organizations need to protect that confidential information while simultaneously sharing it with other providers to coordinate patient care and payment, McWhorter said.
Health care mergers that involve combining data among large companies have made data protection even more complicated, he said.
Moreover, hospitals have many visitors, in contrast to other companies that can limit access only to employees. And they work with many “trusted third parties” such as insurers and medical device manufacturers, with online connections to their data, McWhorter said.
McWhorter said he was able to compromise the website of an infusion pump manufacturer, giving him potential access to 15 different medical organizations.
“There are industries that are more heavily targeted (by cybercriminals) than health care, but the impact (on people) is much, much greater,” McWhorter said. “What’s happening is that cyber-attacks are becoming a better way to do malicious things without risk, rather than running into a shopping center and shooting people.”