Data breaches, which have exposed the medical data of more than 155 million Americans over the past six years, “now threaten the core businesses of hospitals,” according to a recent report by the Brookings Institution. 

On average, health care organizations face about one cyberattack per month and are  struggling to find effective strategies to keep systems secure, according to a separate report from the Ponemon Institute, a strategic research and consulting firm.

A cyberattack on Mercy Iowa City in January resulted in an estimated 15,000 patient records being compromised. The hospital said the data compromised may have included patient demographic and clinical information as well as health insurance information and, in some cases, Social Security numbers. 

Other high-profile attacks earlier this year involved a Los Angeles hospital that paid $17,000 to hackers after a ransomware attack. In another incident, MedStar Health — a not-for-profit health care organization in Washington, D.C., had its computer network attacked by a virus, which forced it to shut down its online database. 

A surge in threats 
In a national survey conducted by Ponemon of 535 health care IT professionals, 48 percent said their organization had had a breach involving loss or exposure of patient information in the preceding year. Factors they cited as some of their biggest threats included system failures, unsecured medical devices, identity thieves and unsecured mobile devices. A separate 2015 survey by Ponemon found that criminal cyberattacks against hospitals have increased by 125 percent since 2010.

The increased connectivity of hospitals in the past few years, particularly with the rising use of electronic medical records, has led to a surge in threats to hospitals, said Jim Tufts, leadership solutions team lead with ICE Technologies in Pella. The company works with 60 rural and community hospitals in Iowa as well as hospitals primarily in the Midwest. 

“Where before you might have worried just in financial services, we’re seeing it skyrocket in health care because the data is so rich,” he said. “With financial records, the data is very temporary — bank accounts or credit cards can be canceled — versus in health care, where you’re dealing with Social Security numbers, health data and addresses. Because of that value, health care has become a target, especially in the past few years.” 

Sheryl Rose, chief security officer for Englewood, Colo.-based Catholic Health Initiatives, said the threat landscape for hospitals’ cybersecurity is constantly evolving. The national nonprofit health organization is the parent of Mercy Medical Center-Des Moines. Rose declined to provide any specifics about threats faced by CHI hospitals. 

“Cyber hackers change their mode of attack so frequently that we are constantly trying to stay on top of that,” she said. “Health care has a lot of confidential information, and that in itself changes the threat landscape of the health care industry.” 

Human error
Individual awareness and education of employees are critical elements of data security, Rose said. “If you look at the past four or five years, health care companies have been moving so heavily into technology; you couple that with the need for clinicians to have data available in real time. We can have protections against malware, but it still comes down to user protection and awareness.” 

Human error was the leading cause of the majority of data breaches analyzed in the Brookings report, which is based on interviews with nearly two dozen key personnel at a variety of health care organizations. 

Proper training of employees is critical, because it’s through employees that many of the viruses are introduced, ICE Technologies’ Tufts said. 

“Most of the time it’s through an attachment in an email,” he said. “It’s just keeping people vigilant; is this something I was expecting to get or from a colleague? We see a lot of cases where there is a fair amount of training on email, but when you do a mock phishing email, 50 to 60 percent of employees fall for that.” 

New strains of ransomware that threaten to hold systems hostage have substantially heightened health care organizations’ sensitivity  to security, said Phil Stravers, vice president of strategy and development with ICE Technologies.  

“We see a heightened interest in getting their vulnerabilities identified and plugging holes,” he said.   

The best strategy for dealing with ransomware threats is a good backup system, Tufts said. “We do have some facilities that have come to us and have said this has been an eye-opener to them in that their backups weren’t as good as they thought.” 

The stakes are high for hospitals in ransomware attacks, said Doug Jacobson, director of the Information Assurance Center at Iowa State University. 

“The goal behind ransomware is to make your computer unusable. If that happens at home, I can deal with it,” he said. “A hospital today is out of business the minute their system goes down. So these things are really bad for an institution that’s so dependent on technology. If you look at the hospitals that paid ransomware, it was because they were taken offline.”

Although theft of health care data is still a threat, “hospitals are doing a pretty good job of trying to lock that information down, which is why we’re seeing a drift towards other ways to extort money,” he said. 

“And with the advent of cyber cash, that’s made it easier to collect money as an attacker,” Jacobson said. “So it’s fairly easy for me as an attacker to collect booty without setting foot outside of my apartment in some country we don’t have extradition treaties with.”

Cyber insurance becoming an easier sell in Iowa

Iowa businesses are becoming increasingly aware of the need for cyber liability insurance, according to a representative with LMC Insurance, which offers the specialty coverage. 

“Simply going through the application process can be eye-opening for clients because they can see areas of concern that need to be improved from a security perspective,” said Brian Hughes, an account executive with LMC. He estimated that fewer than half of Iowa businesses purchase the coverage, which he believes will become a standard part of liability coverage within the next few years.  

“In the past year we’re starting to see a significant adoption rate,” he said. “I would say now that 75 percent of the businesses that we propose to are purchasing the coverage, whereas maybe it was only 25 percent just a year or two ago.” 

A recent report by the Brookings Institution recommends cyber liability insurance specifically for health care organizations. “To underwrite the privacy risk of health care organizations, cyber insurance companies will be willing and able to conduct timely and efficient audits and proactively manage their clients’ privacy protection efforts,” the report said. 

The average cost of a corporate data breach increased 15 percent in the last year to $3.5 million, according to the Poneman Institute’s “2015 Cost of Data Breach Study.” 

The standard policy provides $1 million in liability coverage, but policies are now available that cover a number of data breach notifications instead of a dollar limit, Hughes said. He has quoted policies in excess of $50 million for large organizations. 

Ransomware attacks can be covered; however, there is no standard policy language for the highly specialized policies, so it requires a broker to sort through the options. 

Policy premiums start at about $1,000 per year and can go into the hundreds of thousands of dollars, depending on the size of the company being insured. “There has been some claim activity, which is why we’re starting to see some of the premiums rise,” Hughes said. 

“It’s not a matter of if but when a company is going to have data compromised,” Hughes said. “And they’re going to want to have help navigating through it, specifically the notification laws.”