Last February, a small Southern California Hospital in a sleepy art deco neighborhood found itself under a full-scale attack that brought all semblances of health care to a standstill. While the Los Angeles Police Department and the FBI were sought to render aid, they were ultimately of little help against the onslaught. That’s because these attackers did not wield guns, knives or any other conventional weapon—instead, they employed a rather crippling computer virus. Ultimately, the hospital gave up on trying to admit patients and track treatment with just pen and paper. The solve was to surrender to the hacker’s demands, and the hospital reluctantly paid $17,000 in bitcoin ransom to regain control. Thus the new year ushered in a new era for hospitals—one where cyber security and their commitment to patient privacy is paramount.
2016: the year hospitals got hacked
Hollywood Presbyterian Medical Center was not the only hospital to suffer a cyber threat in 2016, either—several other facilities fell victim to potentially similar actions, including a hospital in Henderson, Kentucky; one in Morgantown, West Virginia and even the community-based system MedStar Health of Washington, D.C. While cyber attacks and instances of ransomware have been in the headlines for over a decade, 2016 marked the first year that online criminals have targeted healthcare facilities with such intensity. This coincides with another trend in the cybercriminal world, where large enterprises are becoming the more likely targets, due in part to bigger caches of data and deeper pockets. Where traditionally ransomware attacks have involved the lockdown of a single computer or network, we’re now seeing the rise of crypto-ransomware where malicious programs infect and encrypt all accessible files. The result is that the holder of the information has to pay up if they want to regain access.
EMRs make such attacks more threatening
What’s worrisome about such instances is that they go beyond online bullying and blackmail. The real threat surpasses the inner workings of hospital infrastructure and permeates the security of health care data itself—specifically, personal patient information in the form of electronic medical records (EMRs). Far worse than a stolen credit card, the theft of one’s medical identity can have far-reaching effects. Thieves not only gain access to name, social security number, date of birth and even banking information all in one package, but they can also sell your medical history to those desperate for treatment—events that end up in your files, causing years of confusion and erroneous medical care. In fact, experts say that a complete set of health records is currently worth 20 times more than a credit card number on the black market.
The prognosis for your personal data
So what does this mean for the average consumer in regards to the quality and security of their health care? More than you think, as the cybercrime landscape is changing fast—from October 2009 to May 2016 alone, the U.S. Department of Health and Human Services’ Office for Civil Rights recorded 1,567 separate data breach incidents involving healthcare organizations. And the annual Study on Privacy and Security of Healthcare Data published by the Ponemon Institute found that cases of medical identity theft rose from 1.4 million in 2009 to 2.3 million in 2014 with future projections climbing at an exponential rate. So how do you deter such thieves? The answer is not an easy one, but advisers offer the following to help ensure that your information stays as safe as possible:
- Ask to use a numeric identifier other than your social security number
- Always review the security policies of a healthcare provider or institution
- Carefully review all Explanation of Benefits letters you receive
- Employ a credit monitoring service
Both an Emory School of Law graduate and MBA graduate of Goizueta Business School at Emory, Chris Nace focuses his practice on areas of medical malpractice, drug and product liability, motor vehicle accidents, wrongful death, employment discrimination and other negligence and personal injury matters.