Why Computer Hackers Invade Health-Care Providers

Leave a comment

Male Hacker Using ComputersLast year the dizzying news of a computer hack at MedStar Health, one of the largest medical providers in the Baltimore/Washington area, forced the organization to shut down most of its online operations. 

The exact nature of the attack was suspected as ransomware and MedStar is just one of the the victims in a string of cyberattacks that have hit the health-care industry hard. Here’s what you need to know about how health-care providers became a digital battleground.

Why would cybercriminals go after the health-care industry?

The health-care sector has a lot of information that could be valuable to criminals and that makes them a juicy target.

First, they often have a bunch of personal information that could be used for traditional financial fraud — things like your name, social security number, and payment information. But they also have health insurance information, which can be sold for even more on online black markets because it can be used to commit medical fraud — things like obtaining free medical care or purchasing expensive medical equipment — that often isn’t caught quite as quickly as credit card or bank account fraud.

A particularly aggressive cybercriminal could even find a way to leverage compromising medical information guarded by health-care providers into a blackmail scheme — although that has not become a major avenue for attack yet, according to Ben Johnson, co-founder and chief security strategist at cybersecurity Carbon Black.

However, several U.S. hospitals have also now been hit with ransomware, a type of malicious software that basically lets an attacker hold a computer hostage. Once ransomware gets in a system, it starts quietly using hard-to-break encryption to lock up the information stored there — making information inaccessible to the legitimate user. After the software has finished locking things up, it typically pops up with a message demanding a payoff in a difficult-to-track digital currency like bitcoin in exchange for the digital key needed to get back into the data.

This is a particular type of nightmare scenario for health-care providers because more and more of them rely on electronic medical records to keep things up and running.

“Health care is a bit unique in that up-time is really important,” said Johnson, which means providers may be more likely than other targets to pay quickly so they can get back to work.

Just how vulnerable is the health-care sector to cyberattacks?

Things are not looking good.

According to cybersecurity firm TrendMicro, health care was the sector that was hit hardest by data breaches from 2010 through 2015. Not all of those breaches involved hacks — two-thirds were actually due to the loss or theft of things like laptops, smartphones, or thumb drives — but it still demonstrates a major problem with the way the industry approaches keeping data safe.

“It’s a big environment with a lot of different pieces — and not a lot of investment in cybersecurity,” said Johnson.

Part of the problem is that hospitals and doctors’ offices often need to oversee a mishmash of different types of equipment running different types of software — and they cannot always apply standard security practices, like regular updates, without risking instability because it might break the connections between systems, according to Jay Radcliffe, a senior security consultant at cybersecurity company Rapid7.

The FBI actually warned health-care providers that they needed to increase their digital defenses in April of 2014. “The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” said a private notice the FBI distributed to the sector.

In 2015, several big health insurers suffered major breaches. One hack at Anthem, the nation’s second-largest health insurer, left information on up to 80 million people exposed. Another at Premera exposed data on 11 million people, including medical information in some cases.

Also last year a ransomware attack hit Hollywood Presbyterian Hospital in California. Staff was forced to resort to paper record-keeping for a week and divert patients to other hospitals. The hospital eventually paid the attackers roughly $17,000 to get access back to their data.  Two other hospitals in Southern California were also reportedly hit with similar ransomware — as was a Kentucky hospital, which declared an “internal state of emergency” after the attack.

And to make matters worse, the health-care providers are also having to grapple with the problem of securing connected medical devices: A hacked pacemaker or drug pump could have potentially life-threatening consequences for patients, and even other types of networked devices could end up helping a cybercriminal find a furtive way to get access to a hospital’s computer systems.

“That can be the weak spot in your network — and in a lot of cases, a hospital might not even realize it was connected,” said Radcliffe.

What is the health-care sector doing to fix this problem?

The industry has its own groups dedicated to helping coordinate how it responds to cybersecurity threats, including the National Health Information Sharing and Analysis Center, or NHISAC, which was founded in 2010. These sort of efforts are useful because they can help industries work together to help stem the spread of a particular type of threat early.

And there is at least one bright side to all the breaches and hacks in the health-care sector: “They are really waking up to the fact that they are a huge target,” said Johnson.

But, unfortunately, that awareness is just part of the problem. Even once an organization has committed the funds to build up their digital defenses, it can be difficult to plot the best path forward, according to Johnson, because it takes time to figure out which tools to put in place and whom to hire.

The latter part can be difficult for health-care providers because there’s a shortage of security professionals across all industries.

“I’ve literally talked to health-care organizations that have 300 open security positions, and are struggling to fill even a handful of them,” said Johnson.

“It’s going to continue being a rough period of time,” he said.

How to Take Charge of Your Medical Records

Leave a comment

Couple and LaptopPatients have a lot to gain by getting access to their health information. Knowing where to get it and what to do with it is key. And, it’s your health. So it’s time you took control of all the information about your health. That’s the message a growing number of patient advocates are trying to spread to American health-care consumers. 

For most people, of course, it’s all too easy to simply leave their health records in the hands of doctors and hospitals. But that’s a big mistake, the advocates argue. First, it gives doctors too much power over information that is vital to patients, and it creates opportunities for errors. Perhaps more important, it keeps patients from using the information themselves for their own benefit.

“For consumers to start requesting and using their health information, it will be a game-changer for the health-care system,” says Christine Bechtel, a consultant for the National Partnership for Women and Families who spearheads the Get My Health Data campaign to get patients to ask doctors for their records. “Once we unlock the data, there’s an enormous amount we can do with it.”

Indeed, taking charge of your own records helps circumvent “data lock”—where one doctor’s records system can’t talk with another’s, or when hospitals make a fuss about transferring files to competing providers. By obtaining your records, you can serve as your own data hub and give out information when you are consulting specialists, seeking second opinions or shopping for less expensive care.

Controlling your data can also be a matter of safety, advocates argue. Studies show that 400,000 Americans die every year beause of medical errors, including 80,000 because doctors don’t have in hand the information they need. “This is an epidemic we can cure if patients can carry that information everywhere they go,” says Bettina Experton, CEO of health-care software maker Humetrix.

A big impetus for these advocacy efforts: electronic health records. Spurred by $30 billion in incentives, doctors and hospitals have digitized millions of Americans’ medical files so they can be more easily analyzed and shared, with the goal of improving care and cutting costs. But it’s often been easier for government regulators, data-crunchers and bill collectors to access information on patients than it has been for patients themselves.

To be sure, not everyone thinks it’s a good idea for patients to take charge of their records. Some doctors, for instance, worry that patient files often contain confusing data that could make people needlessly upset or require time-consuming explanations.

Meanwhile,some people are too sick, too busy or too anxious to want to monitor their health data closely.

But a growing number of Americans are eager for access to their own records as they travel from doctor to doctor, or look for answers on their own. And more physicians say the more information patients have, the more invested they will be in their own care.

Managing medical records can take knowledge and perseverance—but it can bring many benefits, from simplifying paperwork to improving well-being. Here are five important steps to make the process as efficient as possible, and get the most out of it.

Demand Your Data…

If you’re intimidated about asking your doctor, bear in mind that they are your records. You have the right, under federal law, to obtain copies of your medical information from virtually any place you receive health-care services. Providers have 30 days to act and can charge for the cost of reproducing the records, but not searching for them or retrieving them. If you spot errors, you can request changes or add information to make the file more accurate.

Many hospitals and doctors have also earned Medicare bonuses by promising to make summaries of your records easily available electronically. Some large health systems, such as Kaiser Permanente, have set up online portals where patients can download summaries, as well as make appointments, order refills and leave messages for doctors. What’s more, about half of all Americans—including all Medicare and Veteran’s Administration patients—can access at least some of their health records, free of charge, through the government’s Blue Button program. People can check if their provider or hospital participates at the Blue Button Connector.

But overall, few patients have accessed their records—so few, in fact, that hospitals have complained about a Medicare rule that penalizes hospitals unless at least 5% of their patients access their records electronically. Federal regulators have proposed lowering the 5% requirement to just a single patient instead.

That, in turn, has provoked outrage from advocacy groups that say many providers haven’t told patients they have the right to see their records, or haven’t given them a way to do so.

Ms. Bechtel notes that hospitals also benefit when patients can scrutinize their records. “If I have my data, I can spot errors, avoid repeat tests, detect fraud,” she says. “Enabling consumers to help, to be a second set of eyes, to be really involved with their data, will improve care and save money in the end.”

Many physicians appreciate the oversight. Farzad Mostashari, a former federal official in charge of health-information technology who is also involved in the Get My Health Data campaign, tells a story about an encounter with a physician in Wisconsin. The doctor told him that since he was giving his patients copies of their records, he heard from at least one each week about an error they had spotted. He said, ” I love it! It’s cheaper than a lawsuit.”

Organize It…

Another benefit to getting hold of data is the chance to organize it in a way that makes it easy to understand and use. A host of software programs and mobile apps let consumers create personal health records to do just that, often for little or no cost.

Instead of having to sort through a collection of different files, patients can collect all of their health records, and those of family members, together in one place. Then they can leverage the information in any number of ways, such as tracking everyone’s medications, immunizations, vital signs, test results and appointments, as well as setting fitness goals and tracking their progress toward reaching them.

Early programs of this type attracted little interest, largely because users had to enter information manually. Newer versions can import data directly from electronic records, wearable devices and other sources.

Microsoft HealthVault, for example, can combine data from a wide variety of sources. One app even lets users import, store and share copies of their X-rays and other scans. HealthVault can also send letters to physicians’ offices and hospitals with instructions on how to send patients their electronic medical data securely.

And an ever-growing array of apps make medical records available on smartphones. IBlueButton, an app made by Humetrix, can convert the often unwieldy Medicare and VA records available on the Blue Button website into easily accessible form on an iPhone or Android phone, and clearly display every diagnosis; every doctor, hospital and ER visit; and every lab test, X-ray and prescription, including when and where it was filled. It can do the same for patient records held by many hospitals and doctors’ offices as well.

IBlueButton users can create separate folders for family members’ records, research medical terms and send their records to providers who have iBlueButton’s professional version.

Share It…

Having health information handy also allows people to share data as they see fit, without waiting for a doctor’s office to get around to doing it. That might mean sending a child’s immunization records to school, emailing photos of suspicious skin lesions to specialists or obtaining second opinions.

“Anyone managing a chronic disease finds this out the hard way, carrying boxes of records from doctor to doctor,” says Joy Pritts, former chief privacy officer at the federal health information-technology agency. “Having electronic copies of your records makes that much easier.”

Having your own set of records to share can also remove the awkwardness of approaching a provider with a request. “A lot of people aren’t comfortable asking their doctor to send their records to another provider—it’s like asking your spouse if you can fool around,” says David McCallie, senior vice president for medical informatics at Cerner Corporation, an electronic-health-record vendor. “It would be much easier if you could just push a button and have your records flow.”

Giving family members or other caregivers a way to access critical information about you, such as your medications, allergies, blood type and major health issues, can literally be a life saver in an emergency, but they may not need to know your entire medical history. Microsoft HealthVault lets users invite other people to be custodians and decide what parts of their records to let them see.

Some apps are specifically designed for emergencies. An app called ICEBlueButton from Humetrix displays a code on a smartphone’s lock screen that paramedics can scan and read even if the user is unconscious. The app will display as much information as the user has decided to make available, and it can be programmed to automatically alert the user’s emergency contacts as well when the code is scanned. A newer version called SOS QR also broadcasts the user’s GPS location and can translate critical information into five languages as well.

One thing to bear in mind, though, is that while doctors are generally eager for specifics about your medical history, most insist on creating their own files for new patients, so you may still have to answer the same questions repeatedly.

And some physicians also warn patients that keeping information private because it seems sensitive or embarrassing can be dangerous. “Your cardiologist needs to know you’re taking Viagra,” says Lawrence Garber, an internist and director of medical informatics at the Reliant Medical Group in Worcester, Mass.

Generate It Yourself…

Health records aren’t the only place people can find information about their conditions. The universe of wearable devices is exploding—from tracking users’ steps walked and calories burned to monitoring heart rate, blood pressure, blood sugar, blood oxygenation and other potentially life-threatening issues.

If knowledge is power, these devices provide patients with unprecedented ability to keep themselves healthy or keep problems under control. People can figure out how much exercise they’re getting during the day, for instance, and how much they need to add to keep in shape. They can also get an instant update on their condition without having to wait for an appointment with their physician.

That’s a step some doctors like, too. “Why should you take a half-day out of your life to see me for 10 minutes and say that you’re fine?” says Daniel Sands, a Boston internist and founder of the nonprofit Society for Participatory Medicine. “I could say, ‘Check your own blood pressure, send it through the patient portal, and we’ll talk again in two weeks. ”

But many doctors are concerned about the security and accuracy of wearable devices, the potential for malpractice issues and the possibility of being overwhelmed with data they don’t need.

“There’s a distinction between solicited and unsolicited information,” Dr. Sands says. “You may want to track everything you do or eat during the day, and I may not be ready for that information.”

Indeed, patients who are part of the “quantified self” movement, and into charting every aspect of their lives, tend to be those who are already healthy, says Joseph Kvedar, a dermatologist and vice president of the Connected Health center at Partners HealthCare in Boston. “We’re more interested in the person who should be wearing a FitBit and is instead eating cheesecake on the couch.”

Protect It…

Having control of medical records brings plenty of benefits, but also a big responsibility: Storing that information on a personal computer or smartphone does make it vulnerable to loss, theft or hacking. Thieves could use a patient’s name and health-insurance numbers to obtain drugs or medical care illicitly, file fraudulent claims and leave the user with bogus charges. That means it’s critical to protect personal health records and medical apps with passwords and make sure any records they send and receive are encrypted.

What’s more, records loaded into a personal health record or other commercial app are no longer protected by the federal Health Insurance Portability and Accountability Act, or HIPAA. Most consumer fitness trackers aren’t covered by HIPAA either, which means the data they collect, including name and other identifying information, can be disclosed—even sold—by the developer. Many apps are free because they sell your data, so it pays to read the privacy policies closely. People could find themselves receiving many unsolicited marketing pitches.

Many experts point to Apple HealthKit’s policy as a model of privacy protection. Apple prohibits app developers from selling or using the data they collect for advertising or data-mining, except for purposes of health or health research. It also requires any apps it connects with to ask the user’s permission before accessing information about them “It’s really putting the user in the driver’s seat with respect to how their information gets used,” says Bud Tribble, the company’s vice president for software technology.