Hackers are hitting healthcare companies and insurers with increasing regularity – Inside INdiana Business
Of all the industries in the country, healthcare could be the juiciest for cyberhackers. And around central Indiana, institutions large and small are paying the price.
In recent years, some of the region’s largest healthcare players, including Indiana University Health, Eskenazi Health, and Elevance Health (formerly Anthem Inc.), have had patient or customer information compromised by hackers.
The same goes for some of the area’s smaller hospitals, including Hancock Health and Johnson Memorial.
Hospitals, health insurers and medical clinics are full of patient and employee data that can be exploited for identity and medical theft. Hackers can shut down computer systems for days or weeks, holding hospitals hostage until the ransom is paid.
One of the latest attacks was made public last month when the Maine attorney general’s office disclosed that a software provider to Indiana University Health and nine other US health systems had been attacked.
The provider, MCG Health, told authorities that an “unauthorized party” had obtained the names, social security numbers, medical codes, mailing addresses, phone numbers, email addresses, dates of birth and patient information. sex of 1.1 million patients of about 10 hospital clients.
IU Health, Indiana’s largest hospital system, said it notified 60,000 patients of the breach, but declined to reveal details or answer further questions.
“Because this is a MCG data breach, we recommend that you contact them for further information. They would have specific details regarding the breach,” IU Health said in a brief statement.
Seattle-based MCG did not respond to emails and phone calls from IBJ. Several class action lawsuits have been filed against the software company, a subsidiary of Hearst Health, in federal district court in Washington state. The suits allege negligence, invasion of privacy, breach of trust and violations of consumer protection laws. IU Health and the other hospital systems were not named as defendants.
Nationally, cybersecurity breaches in the healthcare industry hit an all-time high in 2021, with nearly half of all hospitals nationwide reporting an attack, according to a report by cybersecurity firm Critical Insights.
All of these attacks revealed protected health information for a record number of patients. In 2021, 45 million people were affected by attacks on healthcare, up from 34 million in 2020, according to Fierce Healthcare, a business news site.
And it’s not just hospitals that are feeling the heat. Attacks on health plans jumped nearly 35% between 2020 and 2021. And attacks on business associates or third-party vendors increased nearly 18% between 2020 and 2021.
Slow to upgrade
Some cybersecurity experts say healthcare is an easy target because many hospitals and other players have been slow to invest in new software that can stop or slow down hackers. Instead, some hospitals use their budget to purchase new X-ray equipment or expensive surgical tools, and stick with decades-old software.
“Some are still running Windows XP on some of their systems,” said Tim Sewell, co-founder and chief technology officer of RevealRisk, a Carmel-based cybersecurity firm.
Fewer than half of healthcare organizations met national cybersecurity standards in 2019, even as cyberattacks grew more complex, according to Austin, Texas-based consulting firm CynergisTek, as reported. Healthcare Dive, a business information site.
Unlike some other industries, healthcare comes relatively late in the digital revolution. For more than a century of the modern medical era, doctors and nurses have used paper records to record patient information. The hospital billing and coding desk was filled with binders and reference books. Even today, some hospitals continue to correspond by fax and mail.
Much of that changed about 15 years ago, when Congress passed financial incentives for medical institutions that used electronic health records, as well as penalties for those that didn’t.
In just a few years, what was largely a pen and paper industry converted to electronic records, quickly building up a huge storehouse of digital information about patient conditions, diagnoses, treatments and outcomes. .
“It meant that many organizations were adopting advanced IT infrastructure very quickly,” said George Bailey, deputy director of cyber services at Purdue University. “They just didn’t have the necessary skills. … The workforce was not equipped to deal with the resulting threat.
By accessing sensitive health data, hackers can profit from selling the information on the dark web, the part of the internet where users can remain anonymous and untraceable.
Buyers can then use the medical information to commit identity theft by submitting fraudulent claims to Medicare and other health insurers, or fraudulently obtaining prescription drugs and reselling them.
“Electronic medical records are actually more valuable on the dark web than credit card numbers or social security numbers,” said Reid Putnam, vice president of property and casualty at Gregory & Appel, a company Indianapolis-based risk and benefits management company.
Another major driving force: hackers can shut down hospital and clinic computer systems and demand a ransom to unlock them. This can quickly upset a hospital, as doctors and nurses cannot consult electronic health records to verify a patient’s medications or lab results. It can also shut down operating theaters — the profit centers of many hospitals — and cripple administrative and billing offices.
In hospitals, every minute the computers are down, someone’s health is put at risk.
“A good target is someone who pays ransoms faster than most,” Putman said. “This may be a driving factor why healthcare is routinely one of the top industry segments to be hacked.”
In 2018, Hancock Health paid a $55,000 ransom to regain access to hospital computer systems, after an “unidentified criminal group” targeted more than 1,400 files. Hancock said hackers gave the hospital system seven days to pay a ransom in bitcoins, and after the virtual currency was transferred, staff regained access to computer systems.
In 2021, Eskenazi Health shut down its data network and hijacked ambulances following what it called an “attempted ransomware attack”. The health system said no patient or employee data was compromised and hackers did not gain control of its computer files. Eskenazi said he did not pay a ransom.
A few months later, hackers attacked Johnson Memorial Health and disabled the Franklin-based health system’s computer network. Hospital officials said their backup processes allowed them to continue operations and most departments were unaffected, although it took weeks to inspect all files.
Indiana hospitals said they have invested millions of dollars in cybersecurity to harden their systems against attacks.
The average initial ransomware claim from healthcare companies was $4.58 million, according to a report last year from BakerHostetler Data Security Incident Response Report. The average payout was $910,335.
Last year, University of California San Francisco Health paid hackers more than $1 million after a ransomware attack on its medical school computer servers.
“The data that has been encrypted is important to some of the scholarly work that we pursue as a university serving the public good,” the university said in a statement. “We therefore made the difficult decision to pay part of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they have obtained.”
And the ransom demands will continue as long as hospitals and other healthcare facilities keep writing checks, some experts say.
“Many medical devices are legacy devices; they’re older, so sometimes it’s hard to upgrade them,” cybersecurity expert Jack O’Meara told industry news site CyberNews. O’Meara is director of the Advanced Solutions Cybersecurity practice at Guidehouse, a Washington, DC-based business consultant. He added, “Ransomware will continue to rise, as long as healthcare organizations and hospitals are willing to pay.”