By Lisa Schencker / Chicago Tribune
CHICAGO — When most people go to the hospital, data security is the last thing on their minds. They’re in pain, anxious and unsure. They want to be treated and return to their lives.
Yet sometimes patients still have cause to worry months after they leave the hospital. They’re discovering that data they gave to health systems — Social Security numbers, birth dates, health insurance information, medical information and credit card numbers — have been compromised in breaches.
In the past two years, 27 Illinois health care providers and companies have reported data breaches involving at least 500 patients. That includes a recent incident at Rush that may have exposed the information of 45,000 patients.
Yet health care providers, in general, tend to spend less on data security than companies in other industries. The shortfall is all the more glaring considering the sensitivity of the data, some experts say.
Health care providers spent about 5 percent of their total information technology budgets on security last year, according to Gartner, a global research and advisory company. By comparison, banking and financial services companies spent 7.3 percent, retail and wholesale spent 6.1 percent and insurance spent 5.7 percent. Across 13 industries measured, the average was 6 percent.
“They probably haven’t been taking this seriously enough until recently,” said Patrick Florer, co-founder of Risk Centric Security, which researches cybersecurity and cyberinsurance.
To be sure, data breaches are an issue across industries. A breach at Target in 2013 affected more than 41 million payment card accounts. Marriott revealed last year that hackers accessed hundreds of millions of guest records. And in 2017, a hack of Equifax affected more than 145 million people.
But security experts warn that breaches involving health systems can be particularly pernicious, considering how much information hospitals keep. Unlike retailers, financial institutions and hotels, hospitals also have medical records and health insurance information.
“They have just the holy grail of personal data in their systems,” said Mark Greisiger, president of NetDiligence, a cyber risk management services company.
And that personal data is shared frequently, zipping between hospitals, health insurance companies, doctors, billers and vendors, Greisiger said.
About 82 percent of hospital information security leaders surveyed reported having a “significant security incident” in the last 12 months, according to the 2019 Healthcare Information and Management Systems Society Cybersecurity Survey.
Protect your medical records from identity theft
Rush became one of the latest victims last year. The system disclosed late last month that as many as 45,000 patients may have had their names, addresses, birthdays, social security numbers and health insurance exposed. The incident most likely occurred in May 2018 when an employee of one of the hospital system’s billing processing vendors improperly disclosed a file to “an unauthorized party,” Rush said.
Rush spokeswoman Deb Song declined to comment for this article, but said earlier this week that the system was taking the matter “very seriously” and had suspended its contract with the vendor.
Like Rush, about 20 percent of hospitals that had significant security incidents last year, traced the problems to vendors, consultant or other parties, according to the 2019 cybersecurity survey. More than half of the overall security incidents at hospitals were done maliciously, such as by hackers or scam artists.
In recent years, a number of other local hospital systems, including Sinai Health System, Cook County Health, Silver Cross Hospital also have had breaches.
The incidents have come as hospitals continue to face competing demands for their resources. Given a choice between spending on data security or patient care, some health systems would rather spend the money on patient care, said Sean Curran, senior director of cybersecurity at West Monroe Partners, a management consulting firm.
In addition, many hospitals are strapped for cash, facing unpaid medical bills from patients, government reimbursements that don’t cover the full costs of care and growing expenses for drugs and technology. More than 36 percent of Illinois hospitals are operating in the red, according to the Illinois Health and Hospital Association.
“There are so many other things health care systems need and people are begging for and yelling for,” said Doug Brown, president of Black Book Research, which conducts market research. “They’re not really putting the attention on cybersecurity because it’s really a boring issue.”
Health care may, however, be starting to put more cash toward the matter. More than 38 percent of health care organizations had increased cybersecurity spending over the previous year, according to the survey.
One local hospital system, Advocate Aurora Health, for example, has been increasing the amount of money it puts toward cybersecurity, said Bobbie Byrne, chief information officer, though an Advocate spokeswoman declined to give specific figures. Advocate has 12 hospitals in Illinois.
Some systems, like Advocate and Amita Health, which has 19 hospitals in Illinois, also have executives dedicated solely to data security.
Nidhi Luthra said she focuses on the issue “24/7” as Amita’s chief information security officer and she works with a department dedicated to it as well.
Still, she said, she doesn’t believe it’s an issue hospitals can address just by doling out more cash. Money can’t necessarily solve certain issues, such as medical devices with outdated operating systems that can be entry points for hackers and ransomware — software that blocks access to computer systems until a ransom is paid.
Building awareness among doctors and patients about how to keep data safe is also important, she said.
“I could have an unlimited budget for cybersecurity, but if a patient or physician chooses to practice bad security hygiene, at the end of the day, the weakest link in my entire equation is the people,” Luthra said.
Phishing, for example, is a huge source of security issues for hospitals. Phishing is when scammers send fraudulent emails to people to try to trick them into revealing personal information, company information or downloading malware.
“You have to create a culture of security awareness,” said Rod Piechowski, senior director of health information systems at HIMSS. “The percentage you spend on security doesn’t necessarily correlate to better security. It’s how you allocate that money and what you see as your priorities.”
Though hospitals still have work to do when it comes to protecting data, they’re getting smarter about it, experts say.
Unfortunately, so are hackers.
“As long as there’s value in attempting to break into a system or somehow compromise an organization for profit, you will continue to see these kinds of attacks,” Piechowski said.