In May, the Ponemon Institute found that criminal attacks on health care organizations are up 125 percent since 2010. And according to a survey of health care technology professionals released in August by KPMG, 81 percent of medical organizations have been targeted by a cyberattack or malicious software—with more than one-in-ten acknowledging two or more attacks per week.
In its monthly disclosure report for November the Department of Veterans Affairs revealed that out of 693 individual records breaches, 616 involved personal health information. While many of these are attributed to employee negligence, the agency reported that it blocked more than 178 million attempts to breach its networks last month.
It’s not that thieves are only now recognizing the value of consumer medical data. Rather, they are targeting a prize that was largely unavailable to them until Congress put it within their reach.
The Health Information Technology for Economic and Clinical Health (HITECH) Act—a component of President Obama’s economic stimulus package—included billions of dollars to support the migration of static, paper-based medical records into electronic databases. Using the tagline “Go Paperless and Get Paid,” the Centers for Medicare & Medicaid Services has shelled out more than $30 billion to date in subsidies to promote the adoption of Electronic Health Records (EHR).
Starting this year, Medicare-eligible providers who aren’t “meaningful users” of electronic medical records will begin facing penalties.
Without a corresponding push to compel investments in security, however, the majority of medical providers incorporated EHR into legacy systems that lacked the technology required to protect it. This created an open pathway for thieves who once would have faced a lock door.
Last month, Donald Good—deputy assistant director of cyberintelligence and outreach at the Federal Bureau of Investigation—told a gathering of health care IT professionals in Washington, D.C. that the industry has yet to reconcile the limitations of legacy IT, even as it makes the leap to next-generation mobile devices.
“For a number of years, folks I think realized there was a threat out there, but it wasn’t as pervasive as it is today,” Good said.
A top-level IT manager at a major university health system in the Northeast told me recently that his organization is just now in the process of locking down patient data.
“We never lost any data so no one thought it was a problem,” he said, requesting anonymity on the grounds he could lose his job for speaking out. “The level of vulnerability is astounding.”
The majority of health care providers share that same pessimism. According to a survey released this month by the company Privacy Analytics, more than two-thirds of health care organizations lack confidence in their ability to protect patient data.
While Obama’s stimulus package has been a favored whipping post for conservative lawmakers, the push to digitize patient records was a bipartisan effort—aided by strong lobbying by the health IT sector.