Is paying ransom going to become another part of providing health care?

Hollywood Presbyterian Medical Center, a Los Angeles hospital, paid a $17,000 ransom on February 15, 2016 to unencrypt its electronic health record system after it was taken hostage by hackers. Although the ransom payment was not the first of its kind, it represents another link in the increasingly complex chain of threats faced by health care providers.  The hospital gave in to criminal demands ten days after  the provider’s network was affected, noting that paying off the hackers was “the quickest and most efficient way” to restore the hospital’s electronic systems.

A new threat

The ransomware attack experienced at Hollywood Presbyterian is representative of a new kind of threat for health care providers (see Another hit for health IT—now hackers hold hospitals hostage?, February 23, 2016). Unfortunately, the ransomware attack wasn’t the first of its kind and the hospital’s response was not a novel approach either. Some reports suggest that entities may be the victim of such ransom demands more often than is publicized because some companies do not reveal when they fall victim to ransomware and similarly do not disclose when they have paid off the criminal attackers. Although, according to the Hollywood Presbyterian release, patient care was not compromised and neither patient nor employee information was subject to unauthorized access, the security breach was dramatic. The seriousness is only exaggerated by the fact that similar attacks may be going on without public notification.

Other threats

Cybercrime has become a persistent reality for health care providers. One estimate suggested that Health care-record hacking is rising at an exponential rate, shooting up 11,000 percent last year. The rise has impacted individuals. The toll last year was 100 million stolen health care records. Hackers take the records and sell them on the dark web with thinly veiled advertising claims like “you can use those profiles for normal fraud stuff or to get a brand new healthcare plan for yourself.” Some of the most recent breaches include a breach of Magnolia Health Corporation and a security breakdown in Washington’s Apple Health Medicaid program. While some data breaches, like the one impacting Apple Health, are relatively innocuous lapses in protocol, other incidents—like the Hollywood Presbyterian attack or the 2015 Anthem breach—are the product of intentional criminal activity.

Task Force

To address the growing problem, HHS recently announced the formation of the Health Care Industry Cybersecurity Task Force as mandated by the Consolidated Appropriations Act of 2015 (P.L. 114-113). HHS announced a call for nominations for membership on the task force, seeking individuals with experience in the health care and public health sector; knowledge of the technical, administrative, management, and/or legal aspects of health information security; and knowledge of major health information security policies, best practices, organizations, and trends. The first teleconference of the Task Force will be held on March 17, 2016.

Economics of hacking

From a preparation standpoint, according to a recent Ponemon Institute report, one secret to defeating cyber threats may be identifying how to make hacks too costly to pursue. Instead of building an impenetrable security wall that hackers cannot break through, the study recommended that entities build a strong security protocol that makes hackers shy away from a target because of the opportunity costs—namely, the time required to successfully hack the system.

Looking ahead

Cyber threats are changing as they grow. With the number of individuals being impacted and the number of ways they are being impacted rising, health information security is becoming increasingly important. Because there may be no absolute protection from cyber threats—short of following quixotic recommendations to revert back to paper—Providers must remain vigilant and aware of the threats so that they do not find themselves in the position of Hollywood Presbyterian, paying criminals as the “most efficient way” to return to business.

Centene loses hard drives containing health information of 950,000 individuals

Health insurance company Centene Corporation (Centene) is looking for six misplaced computer hard drives that contain the personal health information of an estimated 950,000 individuals. While the lost hard drives do not include any financial or payment information, the company says that names, addresses, birthdates, social security numbers, and health information of individuals who received laboratory services from 2009 to 2015 are contained within the drives.

Internal search

Centene Chairman, President and CEO, Michael F. Neidorff, says that the company does not believe that the information was used inappropriately, but adds that it is disclosing its ongoing search for the drives, “out of abundance of caution and in transparency.” The drives were part of a data project that intended to use laboratory results to improve health outcomes.

The company is reviewing and “reinforcing” its information technology (IT) asset managing procedures and is offering free credit and health care monitoring for the individuals who are affected by the loss.

Reporting

The HHS Office for Civil Rights (OCR) website does not currently reflect that Centene has reported the missing drives to that agency. The Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Omnibus Final Rule (78 FR 5566) requires HIPAA covered entities and business associates to notify patients of breaches unless they actually demonstrate a low probability that protected health information was compromised (45 C.F.R. sec. 164.404). For breaches involving 500 individuals or more, CEs must notify HHS at the same time that they make individual notifications; in addition, they must notify the media (45 C.F.R. sec. 164.408).

Recent breaches

In 2015, there were six breaches that affected more than a million individuals that were reported on the HHS OCR’s website. These included breaches at Anthem, which compromised the data of 78.8 million individuals, and Premera Blue Cross, which reportedly involved 11 million records. Both breaches were tied to Chinese espionage (See 5 hot topics in cybersecurity, Health Law Daily, January 7, 2016).

Health programs

Centene provides programs and services to government-sponsored health care programs, including Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP).