Hospitals have ‘holy grail of personal data,’ yet their spending lags on digital security

The shortfall is all the more glaring considering the sensitivity of the data, some experts say.

  • By Lisa Schencker Chicago Tribune (TNS)
  • Monday, March 11, 2019 3:00pm
  • Business

By Lisa Schencker / Chicago Tribune

CHICAGO — When most people go to the hospital, data security is the last thing on their minds. They’re in pain, anxious and unsure. They want to be treated and return to their lives.

Yet sometimes patients still have cause to worry months after they leave the hospital. They’re discovering that data they gave to health systems — Social Security numbers, birth dates, health insurance information, medical information and credit card numbers — have been compromised in breaches.

In the past two years, 27 Illinois health care providers and companies have reported data breaches involving at least 500 patients. That includes a recent incident at Rush that may have exposed the information of 45,000 patients.

Yet health care providers, in general, tend to spend less on data security than companies in other industries. The shortfall is all the more glaring considering the sensitivity of the data, some experts say.

Health care providers spent about 5 percent of their total information technology budgets on security last year, according to Gartner, a global research and advisory company. By comparison, banking and financial services companies spent 7.3 percent, retail and wholesale spent 6.1 percent and insurance spent 5.7 percent. Across 13 industries measured, the average was 6 percent.

“They probably haven’t been taking this seriously enough until recently,” said Patrick Florer, co-founder of Risk Centric Security, which researches cybersecurity and cyberinsurance.

To be sure, data breaches are an issue across industries. A breach at Target in 2013 affected more than 41 million payment card accounts. Marriott revealed last year that hackers accessed hundreds of millions of guest records. And in 2017, a hack of Equifax affected more than 145 million people.

But security experts warn that breaches involving health systems can be particularly pernicious, considering how much information hospitals keep. Unlike retailers, financial institutions and hotels, hospitals also have medical records and health insurance information.

“They have just the holy grail of personal data in their systems,” said Mark Greisiger, president of NetDiligence, a cyber risk management services company.

And that personal data is shared frequently, zipping between hospitals, health insurance companies, doctors, billers and vendors, Greisiger said.

About 82 percent of hospital information security leaders surveyed reported having a “significant security incident” in the last 12 months, according to the 2019 Healthcare Information and Management Systems Society Cybersecurity Survey.

Protect your medical records from identity theft

Rush became one of the latest victims last year. The system disclosed late last month that as many as 45,000 patients may have had their names, addresses, birthdays, social security numbers and health insurance exposed. The incident most likely occurred in May 2018 when an employee of one of the hospital system’s billing processing vendors improperly disclosed a file to “an unauthorized party,” Rush said.

Rush spokeswoman Deb Song declined to comment for this article, but said earlier this week that the system was taking the matter “very seriously” and had suspended its contract with the vendor.

Like Rush, about 20 percent of hospitals that had significant security incidents last year, traced the problems to vendors, consultant or other parties, according to the 2019 cybersecurity survey. More than half of the overall security incidents at hospitals were done maliciously, such as by hackers or scam artists.

In recent years, a number of other local hospital systems, including Sinai Health System, Cook County Health, Silver Cross Hospital also have had breaches.

The incidents have come as hospitals continue to face competing demands for their resources. Given a choice between spending on data security or patient care, some health systems would rather spend the money on patient care, said Sean Curran, senior director of cybersecurity at West Monroe Partners, a management consulting firm.

In addition, many hospitals are strapped for cash, facing unpaid medical bills from patients, government reimbursements that don’t cover the full costs of care and growing expenses for drugs and technology. More than 36 percent of Illinois hospitals are operating in the red, according to the Illinois Health and Hospital Association.

“There are so many other things health care systems need and people are begging for and yelling for,” said Doug Brown, president of Black Book Research, which conducts market research. “They’re not really putting the attention on cybersecurity because it’s really a boring issue.”

Health care may, however, be starting to put more cash toward the matter. More than 38 percent of health care organizations had increased cybersecurity spending over the previous year, according to the survey.

One local hospital system, Advocate Aurora Health, for example, has been increasing the amount of money it puts toward cybersecurity, said Bobbie Byrne, chief information officer, though an Advocate spokeswoman declined to give specific figures. Advocate has 12 hospitals in Illinois.

Some systems, like Advocate and Amita Health, which has 19 hospitals in Illinois, also have executives dedicated solely to data security.

Nidhi Luthra said she focuses on the issue “24/7” as Amita’s chief information security officer and she works with a department dedicated to it as well.

Still, she said, she doesn’t believe it’s an issue hospitals can address just by doling out more cash. Money can’t necessarily solve certain issues, such as medical devices with outdated operating systems that can be entry points for hackers and ransomware — software that blocks access to computer systems until a ransom is paid.

Building awareness among doctors and patients about how to keep data safe is also important, she said.

“I could have an unlimited budget for cybersecurity, but if a patient or physician chooses to practice bad security hygiene, at the end of the day, the weakest link in my entire equation is the people,” Luthra said.

Phishing, for example, is a huge source of security issues for hospitals. Phishing is when scammers send fraudulent emails to people to try to trick them into revealing personal information, company information or downloading malware.

“You have to create a culture of security awareness,” said Rod Piechowski, senior director of health information systems at HIMSS. “The percentage you spend on security doesn’t necessarily correlate to better security. It’s how you allocate that money and what you see as your priorities.”

Though hospitals still have work to do when it comes to protecting data, they’re getting smarter about it, experts say.

Unfortunately, so are hackers.

“As long as there’s value in attempting to break into a system or somehow compromise an organization for profit, you will continue to see these kinds of attacks,” Piechowski said.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Business

ZeroAvia founder and CEO Val Mifthakof, left, shows Gov. Jay Inslee a hydrogen-powered motor during an event at ZeroAvia’s new Everett facility on Wednesday, April 24, 2024, near Paine Field in Everett, Washington. (Ryan Berry / The Herald)
ZeroAvia’s new Everett center ‘a huge step in decarbonizing’ aviation

The British-American company, which is developing hydrogen-electric powered aircraft, expects one day to employ hundreds at the site.

Allan and Frances Peterson, a woodworker and artist respectively, stand in the door of the old horse stable they turned into Milkwood on Sunday, March 31, 2024, in Index, Washington. (Ryan Berry / The Herald)
Old horse stall in Index is mini art gallery in the boonies

Frances and Allan Peterson showcase their art. And where else you can buy a souvenir Index pillow or dish towel?

Everett
Red Robin to pay $600K for harassment at Everett location

A consent decree approved Friday settles sexual harassment and retaliation claims by four victims against the restaurant chain.

magniX employees and staff have moved into the company's new 40,000 square foot office on Seaway Boulevard on Monday, Jan. 18, 2020 in Everett, Washington. magniX consolidated all of its Australia and Redmond operations under one roof to be home to the global headquarters, engineering, manufacturing and testing of its electric propulsion systems. (Andy Bronson / The Herald)
Harbour Air plans to buy 50 electric motors from Everett company magniX

One of the largest seaplane airlines in the world plans to retrofit its fleet with the Everett-built electric propulsion system.

Simreet Dhaliwal speaks after winning during the 2024 Snohomish County Emerging Leaders Awards Presentation on Wednesday, April 17, 2024, in Everett, Washington. (Ryan Berry / The Herald)
Simreet Dhaliwal wins The Herald’s 2024 Emerging Leaders Award

Dhaliwal, an economic development and tourism specialist, was one of 12 finalists for the award celebrating young leaders in Snohomish County.

Lynnwood
New Jersey company acquires Lynnwood Land Rover dealership

Land Rover Seattle, now Land Rover Lynnwood, has been purchased by Holman, a 100-year-old company.

Szabella Psaztor is an Emerging Leader. (Olivia Vanni / The Herald)
Szabella Pasztor: Change begins at a grassroots level

As development director at Farmer Frog, Pasztor supports social justice, equity and community empowerment.

Simreet Dhaliwal is an Emerging Leader. (Olivia Vanni / The Herald)
Simreet Dhaliwal: A deep-seated commitment to justice

The Snohomish County tourism and economic specialist is determined to steer change and make a meaningful impact.

Nathanael Engen, founder of Black Forest Mushrooms, an Everett gourmet mushroom growing operation is an Emerging Leader. (Olivia Vanni / The Herald)
Nathanael Engen: Growing and sharing gourmet mushrooms

More than just providing nutritious food, the owner of Black Forest Mushrooms aims to uplift and educate the community.

Owner and founder of Moe's Coffee in Arlington Kaitlyn Davis poses for a photo at the Everett Herald on March 22, 2024 in Everett, Washington. (Annie Barker / The Herald)
Kaitlyn Davis: Bringing economic vitality to Arlington

More than just coffee, Davis has created community gathering spaces where all can feel welcome.

Emerging Leader John Michael Graves. (Ryan Berry / The Herald)
John Michael Graves: Champion for diversity and inclusion

Graves leads training sessions on Israel, Jewish history and the Holocaust and identifying antisemitic hate crimes.

Gracelynn Shibayama, the events coordinator at the Edmonds Center for the Arts, is an Emerging Leader. (Olivia Vanni / The Herald)
Gracelynn Shibayama: Connecting people through the arts and culture

The Edmonds Center for the Arts coordinator strives to create a more connected and empathetic community.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.