BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

The Top U.S. Healthcare Story For 2014: Cybersecurity

Following
This article is more than 9 years old.

As with every year, there was no shortage of big healthcare stories in 2014. Several publications made good lists (here and here) and not surprisingly ‒ Ebola appeared at or near the top of many. I do think Ebola qualifies as The Top Global Healthcare Story For 2014, but I also think there's room for a U.S. specific version as well.

As healthcare becomes increasingly digitized (and more devices become network attached, attachable or aware), cybersecurity captured my vote as the top U.S. healthcare story for 2014. Here are the 5 compelling reasons why:

  1. The SANS Institute Report (February)
  2. The FBI Private Industry Notification (PIN) to the healthcare industry (April)
  3. The "hacktivism" cyber attack on Boston Children's Hospital (April)
  4. The breach of 4.5 million health records at Community Health Systems ‒ the second largest hospital chain in the country (August)
  5. The Sony Pictures Entertainment breach ‒ which included detailed employee, spouse and dependent medical information (December)

The SANS Institute Report (registration required here) was specifically targeted at the healthcare sector ‒ and I added detailed coverage to the report in February with this headline. New Cyberthreat Report by SANS Institute Delivers Chilling Warning to Healthcare Industry

A key quote from the report was this one by lead analyst and author Barbara Filkins:

This level of compromise and control could easily lead to a wide range of criminal activities that are currently not being detected. For example, hackers can engage in widespread theft of patient information that includes everything from medical conditions to social security numbers to home addresses, and they can even manipulate medical devices used to administer critical care. Barbara Filkins ‒ Senior SANS Analyst and Healthcare Specialist.

It's an important assessment that expands on the findings of the Ponemon Institute report in 2013. In that report  (registration required here), the Ponemon Institute calculated the cost of Medical Identity Theft at $12 billion annually. That’s just the financial calculation. The clinical calculation included these additional risks as reported by actual victims of Medical Identity Theft.

  • 15% of respondents experienced a misdiagnosis
  • 13% of respondents experienced a mistreatment
  • 14% of respondents experienced a delay in treatment
  • 11% of respondents were prescribed the wrong pharmaceutical
  • 50% of respondents have done nothing to resolve the incident

In April, Boston Children's Hospital was attacked by a "hacker collective" known as Anonymous. While the attack was classified as "hacktivism" (motivations revolved around a high-profile pediatric case) the "group" issued direct threats prior to launching a sizable distributed denial‒of‒service (DDoS) attack on the hospital. The attack was short lived (about a week) but escalated quickly and did have an impact on critical communications ‒ including email services for the entire hospital.

The attack also included the release of personal information on both the Judge and the doctor presiding over the pediatric case in question.

The cyberattack against BCH earlier this year did take us by surprise and we reacted quickly in ways that did control the threat, but that also required a disruption in normal IT services like email. If there's any real message here it's that you can't schedule these kinds of attacks so it's critical to have cyberthreats as a key part of IT budget and planning. In our case, we don't think the motivation was financial, but the attack was as sophisticated as many that are."  Dr. Daniel Nigrin  CIO Boston Children's Hospital

All of that took place before June. In August, Community Health Systems (the nation's 2nd largest hospital system with 206 hospitals in 29 states) announced a breach of 4.5 million patient records. Included in my coverage of that story (Cyber Attack Nets 4.5 Million Records From Large Hospital System) were references to other notable cybersecurity threats this year.

We see about a million hits a day from China alone trying to break into our network. Bert Reese ‒ CIO of Sentara (Top Healthcare CISO’s Hard To Come By – May, 2014)

The medical device makers were not aware of the intrusions until federal authorities contacted them, and they have formed task forces to investigate the breach, [an inside source] said. Hackers break into networks of 3 big medical device makers – SFGate (February, 2014)

Which brings us to the latest noteworthy healthcare breach announced just this month ‒ Sony Pictures Entertainment (SPE). While the global interest and attention was mostly centered on the release of the film The Interview ‒ and secondarily whether North Korea was to blame ‒ this was a large healthcare breach that included deeply personal health information on employees and their family members. As a result, it will absolutely be subject to the rules and penalties of HIPAA violations.

One memo by a human resources executive, addressed to the company’s benefits committee, disclosed details on an employee’s child with special needs, including the diagnosis and the type of treatment the child was receiving. The memo discussed the employee’s appeal of thousands of dollars in medical claims denied by the insurance company. Another document leaked in the hack is a spreadsheet from a human resources folder on Sony’s servers that includes the birth dates, gender, health condition and medical costs for 34 Sony employees, their spouses and children who had very high medical bills. The conditions listed include premature births, cancer, kidney failure and alcoholic liver cirrhosis. The document doesn’t include employees’ names. Sony's Hacking Nightmare Gets Worse: Employees Medical Records Revealed Bloomberg , December 12

Sony acknowledged this outright in their notification to employees earlier this month.

In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, social security number, claims appeals information you submitted to SPE (including diagnosis and disability code), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to us outside of SPE health plans. SPE Notice to Employees on December 8 (pdf here).

While many were quick to simply lump this into the traditional category of data breach ‒ like Forbes, Target , Staples and Home Depot ‒ it was vastly different. This was a massive enterprise data breach that has healthcare  repercussions well beyond just the data that was stolen. Self-insured employers often share detailed employee (and dependent) health information with companies they contract with for benefit management and claims processing. Whether a company is self-insured or not is irrelevant. Managing and maintaining PHI greatly expands their responsibility and liability for security compliance, audit and data breach under HIPAA.

Credit cards have a relatively short usable life after theft and a typically small personal liability  often only $50 to the consumer. This is also why the courts often frown on consumer lawsuits for financial identity theft. Medical identity theft, however, is vastly different and the courts will review these class-action employee/employer cases very differently. Full legal liability for PHI under HIPAA is not something that many employers are familiar or prepared to deal with.

The plaintiffs are suing Sony on grounds of negligence, invasion of privacy, bailment and violations of multiple California laws that require a corporation to protect the private medical information of its employees and notify them of data breaches in a timely fashion. They're seeking "an award of appropriate relief, including actual damages, restitution, disgorgement, and statutory damages." Sony Hit With Fourth Class Action Law Suit

Beyond the legal liability is the larger issue for all of cybersecurity  trust. Earlier this year the French telecom conglomerate did a study (The Future of Digital Trust - pdf here) that produced these results.

  1. 78% of consumers state that it is hard to trust companies when it comes to the way they use consumer personal data
  2. 70% agree that there are few or no trusted way to find out about personal data management and protection online
  3. 78% feel that service providers hold too much information about consumer behaviour and preferences

In this new age of hacktivism, massive health data breaches and global cyberthreats, privacy may well be dead (as some suggest), but trust most certainly isn't.

As I’ve said in these memos for more than 25 years, we can afford to lose money – even a lot of money. But we can’t afford to lose reputation – even a shred of reputation. Warren Buffet ‒ Letter to Managers of all Berkshire Companies ‒ Buffett Reminds His Top Managers Reputation Is Everything