Tip Sheets

What to know before diving into a health care cybersecurity story

By Rebecca Vesely

Breaking news on cyberattacks at hospitals and health plans is increasingly common. Here are some tips on reporting on health care data security breaches, what questions to ask and helpful resources.

What are the most common cyber security problems today?

Ransomware: A type of malware (malicious software) that attempts to deny access to the user’s own data, by encrypting the data with a key that won't unlock until a ransom is paid. Ransoms are usually paid in an untraceable cryptocurrency such as Bitcoin.

Phishing: A “lure” that entices an unwitting user to grant a thief remote access to proprietary data. For instance, a victim will click on a link in an email from someone they think is a trusted source, opening an access door to their computer. Phishing is a way for criminals to infect a computer with ransomware.

Remote-Access Hacking: Any unauthorized break-in of a computer system from a remote source.

Theft and Loss: This includes stolen laptops and lost thumb drives containing patient information that is not encrypted or otherwise secured.

Snooping: Incidents where staff at hospitals access someone’s medical records without authorization or being directly involved in the patient’s care. High-profile incidents involving celebrities have led to hospital fines.

Why is health care data a target for theft?

1. The health care sector is a rich source of a person’s personal data, including names, social security numbers, addresses, date of birth and personal financial information. This type of data can fetch high prices on the black market.

2. Health care data is shared among a variety of sources and people, thus offering more opportunities to exploit weak spots in security systems.

3. Protocols on handling patient information may not be in place or well understood by many providers and clerical staff with access. (See my blog post on medical students and EHR access.)

4. Medical data is stored for a long time, increasing chances and opportunities for hacking over time.

5. Adoption of electronic health records and patient databases has happened so quickly over the past five years that security often lagged behind. One provider, quoted in a Brookings Institution report on hacking published in May, puts it like this: “While big technology companies are like war ships, these healthcare providers are like small rubber dinghies in a sea of hacker sharks. They cannot protect themselves."

How big is the problem?

Big. Since 2009, about 1,500 breach incidents have exposed the medical information of more than 155 million people in the United States, according to the Brookings Institution. Health care is the biggest target of hacking of any sector, according to multiple sources.

Who oversees these breaches and what are the reporting requirements?

Health care entities are required to report data breaches to the U.S. Health and Human Services Department (HHS) Office for Civil Rights (OCR). The office investigates the cases, conducts audits and issues fines. The HHS posts a list of breaches affecting 500 or more people (required under law), at this portal.

The OCR in July 2016 issued new guidance on ransomware. The guidance “reinforces activities required under the Health Insurance Portability and Accountability Act (HIPAA) that can help organizations prevent, detect, contain and respond to threats."

Some members of Congress are alarmed over the frequency of healthcare hacks, but experts doubt more regulations will help, Politico has reported.

What questions should reporters ask a breached health care entity?

1. What policies and procedures were in place prior to the attack, and how will these policies be changed to prevent future attacks?

2. Are specialized workers trained on detecting and reporting malicious software?

3. Who has access to these systems? How are you limiting access to only those who can detect and respond to threats?

4. What is your contingency plan for recovery and backups?

5. How often is data backed up?

6. Are you able to identify all patients affected by the breach? How?

7. What is your annual budget for cybersecurity?

Sources on health care cybersecurity

• HHS: Office of Civil Rights (OCR).

• HHS: Healthcare Industry Cybersecurity Task Force.

• College of Healthcare Information Management Executives (CHIME): A professional organization for chief information officers and other senior health care IT leaders.

• I Am The Cavalry: A grassroots organization focused on issues where computer security intersects.

• Wired: Ransomware hostage rescue manual.