March 4, 2020

The month of February was not kind to the patient privacy movement.  While laws, such as HIPAA, were written to promote the security of protected health information (PHI), the advent and proliferation of electronic communication and data storage have all too often undercut the government’s aim to keep patient information private.  There were a number of breaches of health records this past month at hospitals, pharmacies and other healthcare organizations across the country, which caused a great deal of consternation in multiple municipalities.

Assessing the Attacks

Becker’s Hospital Review recently cataloged nearly two dozen such incidents.  All told, these breaches affected hundreds of thousands of patients just in the month of February.  We have reproduced 10 of these incidents, below, as examples of the kind of breaches that continue to occur and that unduly compromise patient privacy rights.

1. A home healthcare company in Lake Success, New York that provides services across the state has notified more than 157,000 patients that their information may have been exposed in a ransomware attack against a third-party vendor.
2. A hospital in Bellevue, Washington began alerting 109,000 patients on Feb. 7 that their information may have been exposed in a phishing attack.
3. A Nashville-based orthopedic entity began alerting 81,146 patients on Feb. 14 that their information may have been exposed in a phishing scheme.
4. A Health System in Decatur, Texas recently began notifying 66,934 patients that their protected health information may have been exposed in a phishing attack.
5. A Houston-based orthopedic group warned 30,049 patients that their medical records may have been damaged in a malware attack.
6. Similarly, an orthopedic group in Great Bend, Kansas began notifying 17,214 patients that their information may have been exposed in a ransomware attack.
7. A hospital system based in Springfield, Illinois notified 16,167 patients that their information may have been exposed in a phishing attack.
8. An Albia, Iowa-based hospital and associated clinics began notifying around 7,500 patients on Feb. 17 that their information may have been exposed in a phishing attack.
9. A Fort Worth, Texas health entity began notifying 6,524 patients that their information may have been exposed in a phishing attack.
10. A children’s hospital in San Diego began alerting 2,360 radiology patients on Feb. 21 that their information may have been accessed by unauthorized personnel.

The sad part of all this is that we have grown accustomed to these announcements.  It’s as if these incidents have become expected, accepted and seen as the cost of doing business.  According to a Comparitech report, there have been 172 individual ransomware attacks on healthcare organizations affecting 1,446 hospitals, clinics and other organizations since 2016. The report also noted 6.6 million patients have been affected by these attacks, and hackers have demanded $16.48 million in “ransoms” over the past four years.  Cyberattacks in the form of ransomware, malware, phishing emails and other nefarious hacks can result in patient record exposure, locked patient information, EHR downtime and delay in patient care.

Shoring Up the Defenses

Despite the near commonplace occurrence of these breaches, the healthcare community must never see them as de rigueur.  They must never be accepted, must always be thwarted, and it will be up to both CEOs and CIOs to lead the charge against them.  What, though, can these facility officers do to better safeguard patient data?  Here are a few ideas being implemented by hospitals and health systems across the country:

1. Education on Steroids.  So many of the breaches listed above were due to deliberate attacks by individuals looking for a weakness in the health entity’s email system.  Hospitals have found that, despite years of warning their employees about the typical tactics of the hacker, invariably someone is going to click on a link or provide requested credentials that opens the floodgates of PHI to the bad guy.  So, it comes down to the individual.  All it takes is one employee, receiving hundreds of emails and texts a day, who is in a rush, who gets careless, and the entire system is compromised.

   To have any hope in stopping that person’s mouse from clicking on that link, healthcare facilities must do a better job at inserting a bevy of red flags and a battery of loud alarms within the mind of that user.  In other words, your training against these attacks must become much more aggressive and much more pronounced.  Instead of a once- or twice-a-year training session, education concerning hacking attacks should be continual and loud.  There should be an in-your-face approach to this threat so that the over-worked employee WILL think twice before giving in to the hacker’s enticements.  This is what motivated one Florida-based entity—Memorial Healthcare System—to create an entire video campaign series on cybersecurity topics, such as phishing and “what is PHI?”

2. Simulated Attacks.  From a military perspective, one of the keys to victory—before the conflict ever begins—is to engage your forces in a series of war games.  Ohio State University Wexner Medical Center in Columbus has done just that when it comes to the battle for information security.  Before facing the attacks of a potential hacker, OSUWMC’s CIO began the process of simulating such attacks on the medical center’s various electronic platforms.  This allowed the facility to determine what systems were most vulnerable, what hacking tactics were most effective, and what training and security counter measures needed beefing up.
3. Invest in Security.  Most hospitals and health systems are already invested in securing their data and patient information, but the hacker never sleeps.  He (or she) is always looking for new ways to get at you, to fool the system, and to gain access.  Since the hacker’s tactics are constantly evolving, your defenses must evolve, as well.  That means continual upgrades in systems, paying more for IT resources and solutions, and devoting more time (and, yes, time is money) in cybersecurity planning and training.
4. Think Outside the Box.  Not every solution against the hacker’s ploys is going to be provided by the traditional or “Geek Squad” methodology.  Innovation and out-of-the-box thinking are key to winning the war.  Hospital CIOs should therefore be looking at new approaches being used by other health entities—evaluating their cost and effectiveness.

   As an example of searching for new ways of combatting cyberattacks, the Accreditation Council for Graduate Medical Education (ACGME) has announced that it will be moving away this year from passwords and biometric-based technology to “more secure and convenient access,” coupled with using conditional access tools to apply the right security controls to the right users and devices.  It is uncertain at this point how access can be both more secure and more convenient, but it may be worth the time of your hospital’s CIO to investigate what the ACGME is doing and determine if that’s a good fit for your facility.  The message here is, find out what’s working—including new approaches developed by others—and integrate where practicable.

It was attacking the gaps in the French defenses that Henry V had in mind when Shakespeare had him utter the now famous phrase, “Once more unto the breach, dear friends!”  When it comes to the modern electronic battlefield, we know that the attacks are coming.  The question is, will your organization have the wherewithal to shore up the potential weaknesses in your information and communication systems so that any potential breach will be prevented?  We at MiraMed Global Services have years of experience in repelling cyberattacks and can serve as an added resource in your fight against the dark schemes of the hacker.  Contact us at info@miramedgs.com.