Cyber thieves are increasingly seeking to steal patient data from health care providers.
An annual benchmark study by the Traverse City-based Ponemon Institute found that cyberattacks against health care providers grew 5 percent in the last year and now account for half of all data breaches in the industry.
Cyberattacks surpassed accidental incidents such as misplaced laptop computers or employee errors as the leading cause of data breaches in health care. They now cost the U.S. health care industry $6.2 billion annually, according to the yearly analysis by the Ponemon Institute and Portland, Ore.-based ID Experts Corp.
This year’s findings in the survey “are consistent with what I hear in the industry,” said Doug Dietzman, executive director of Grand Rapids-based Great Lakes Health Connect.
“It’s pretty clear outside forces are targeting health care more and more. There have been more intentional attacks,” Dietzman said. “The sophistication of the attackers and methods they are using is ever changing and constantly adapting to the protective measures that are put in place by health care organizations. It really is a daily chess match to stay aware of how the risk continues to morph and remain in front of those trying to penetrate our systems.
“Everybody’s gone on high alert.”
Great Lakes Health Connect links 18,000 care providers across Michigan, including 129 hospitals and 4,000 medical practices.
Health care has come under greater attack by cyber thieves because of the rich information they can gain from accessing patients’ electronic health records. That includes personal financial information to pay for copays and deductibles, demographic data, and health insurance billing information to pay medical bills.
Attackers can use personal data for identity theft or to personalize email attacks to individuals, Dietzman said.
“They can make those attacks very personal and something that looks very, very real,” Dietzman said.
Unlike the theft of a person’s credit card information, “you cannot turn off your health history” in case of a data breach, he said.
For example, insurance billing data can allow cyber thieves to get prescriptions, presumably written illegally, for drugs such as opiates that they can sell on the black market, said Rick Kam, president and CEO of ID Experts.
The 2016 Ponemon Institute study found that 89 percent of organizations experienced a data breach in the past two years, and 79 percent had multiple attacks. More than one-third had two to five data breaches and 45 percent had more than five.
“In the last six years of conducting this study, it’s clear that efforts to safeguard patient data are not improving. More health care organizations are experiencing data breaches now than six years ago,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Negligence — sloppy employee mistakes and unsecured devices — was a noted problem in the first years of this research and it continues. New cyber threats, such as ransomware, are exacerbating the problem.”
The growing problem stems in part from the increased sophistication of cyber thieves and the explosion in the use of internet-connected devices.
Despite the best efforts of health insurers, health systems and other care providers to protect their networks and patient data, cyber attackers are often one step ahead, Kam said.
“The criminal element — the bad actors, if you will — have gotten more diverse and sophisticated,” Kam said.
Some of those organizations “do have some serious and significant resources to go after the data that they’re interested in and, unfortunately, are able to get,” he said.
While the tech experts do battle to protect networks and systems, care providers can step up employee training, Dietzman said. Employees need constant reminders of how to identify threats such as sophisticated phishing emails that an attacker can use to install a virus or gain access to a network.
Great Lakes Health Connect has a privacy and security officer that came aboard from the financial services industry and monitors the exchange’s security profile. The health information exchange regularly “fine tunes” policies and procedures to keep up with threats, Dietzman said.
Staffers also receive annual training, and Great Lakes Health Connect regularly pushes out to employees “reminders and stories of where breaches have occurred (in the health care industry) to keep the threat top of mind,” Dietzman said.
“We understand this is a critical issue in health care and are committed to taking whatever steps we can to make GLHC’s environment as secure and safe as we can possibly make it,” he said. “Nobody can promise perfection, but that is our intent and we’re doing what we can to hit it.”