Imagine speeding to the hospital in an ambulance, only to be redirected to a different location due to a hostage situation there — not involving people, but the hospital’s computer system. Or what if you get a letter saying you’ve had a major operation that you have absolutely no memory of?
Chances are you (or your hospital) have been the victim of a cyberattack.
One of the recent medical institution attacks occurred at a Minnesota fertility clinic, which reported data of patients is being held hostage by cyber attackers. The Colorado Center for Reproductive Medicine network (CCRM), which runs the clinic, reportedly notified patients of the hack in October. Nearly 3,300 patients of the clinic have been “potentially affected,” a spokeswoman told the Associated Press. CCRM did not respond immediately to a request for comment.
Similar attacks hit several hospitals in the U.S. in the past year, including the Hollywood Presbyterian Medical Center in February 2016. It reportedly paid hackers a ransom of $17,000 in Bitcoin for the release of its electronic medical records and system. These hacks represent a problem in the health care industry that has increased fourfold over the past year and is only expected to get worse.
In 2016, 328 U.S. health-care firms reported data breaches, up from 268 in 2016, according to the 2017 Healthcare Breach Report released by data protection company Bitglass this week. Customers of Kroll’s Cybersecurity & Investigations have even found hackers using stolen information to get medical procedures, said Brian Lapidus, leader of identity theft and breach notification practice at Kroll’s Cybersecurity & Investigations.
An 85-year-old woman received an explanation of benefits that she had gotten a nose job. It turned out someone else had claimed the procedure on her insurance using stolen information.
One 85-year-old woman alerted them that she had received an explanation of benefits document in the mail stating she had gotten a nose job. It turned out someone else had claimed the procedure on her insurance using stolen information.
“This is an outcome where it starts getting dangerous,” Lapidus said. “Someone could have a more extreme procedure, like having their kidney taken out, for example, and now that is on your medical record and affecting your care.”
Other risks include being blackmailed due to sensitive diagnosis information included in health records or having prescriptions falsified. In 2015, Congress established the Health Care Industry Cybersecurity (HCIC) Task Force to address the growing risk of cybersecurity incidents in the industry and help their responses to them.
The latest health-care ransomware attack, which happened last April, targeted technology company Greenway Health and affected 400 of its clients. A statement on the company’s website two weeks after the incident said an attempt to restore functionality to affected customers is “nearing completion.” (A company spokesman/spokeswoman said it wasn’t commenting on the incident). In 2016, three other hospitals were hit with ransomware in Kentucky, Arizona, and California.
So what can be done? In the report released this week, the task force called on federal regulatory agencies to standardize the “complicated patchwork of laws” affecting the health care industry’s cybersecurity. Still, it recognizes the need to continue to add features like electronic medical records and update the health care system in the U.S., as it “cannot deliver effective and safe care without deeper digital connectivity,” the report said.
“If the health care system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs,” the report said. “Our nation must find a way to prevent our patients from being forced to choose between connectivity and security.”
Health care breaches continue to happen, Lapidus said. “They’re going to continue to happen because there is a treasure trove of information at those institutions,” he said. “You can use personal health care information to open new credit cards, get payday loans, file fraudulent tax refunds and get prescriptions.”
That’s because health institutions have what he calls the “holy trinity” of personal information: name, social security number, and date of birth. They also have more personal details that make such hacks even more risky than a typical retail breach, including prescription information and diagnoses.
Meanwhile, consumers need more literacy around health-related hacks, Lapidus said. Some people know the Internal Revenue Service won’t email or call them about taxes due to increased knowledge around such scams in recent years, but many don’t understand whether a doctor might call asking for a social security number or credit card information. Patients who receive such calls should hang up and call the doctor back at the main office number to ensure they are not being scammed.
Hospitals around the world also must prepare themselves for increasing attacks on a case-by-case level, Lapidus said, by educating their staff about the risks of phishing emails—where hackers pretend to be a legitimate service to get someone to open a link. They should also have a cohesive plan in place to respond when attacks do happen. “The job of a hospital is to service its patients and when they lose access to patients [via their medical records] that ability is precluded,” he said.
This story was updated on Dec. 6, 2017.