Hospitals at war vs. cybercrime — but it’s a hard war to win

Modern hospital security is not just about nabbing a few thieves who wander in looking for something to grab. Patients’ information — medical and personal — is a big prize for today’s crooks, and it’s at risk 24/7 if the proper protocols and training are not in place.

St. Mary’s Hospital in Athens knows the reality as well as anyone. So, about four times a year, the Catholic-affiliated hospital works with its Michigan-based parent company, Trinity Health, to send out “bogus” emails to staff. That helps the employees learn what suspicious emails can look like and how to avoid taking the bait.

St. Mary’s Hospital

It’s part of broader training protocols and security measures the system implemented in order to prevent data breaches. These breaches affect businesses across the county, from hotels to local governments, and they can involve vast troves of data.

A data breach occurs when private information is accessed from a personal device — such as a laptop or cellphone — without the users’ authorization or consent.

Technological services like emails, network servers, desktop computers and even electronic medical records, get exploited. A data breach can also be classified as a cyberattack, a broader term that applies to any incident in which someone’s device is accessed surreptitiously, even if no data is taken.

Information that is susceptible to a data breach can vary. In the health field, it can include insurance policy numbers, birth date, Social Security number, medical history and billing and payment information, according to a blog post on Experian.

Hackers use computers to gain unauthorized access to data. With this stolen information, hackers can impersonate an individual to get medical services, open credit accounts, break into a person’s bank account, obtain drugs illegally and even blackmail people by threatening to reveal their private information.

Criminals also can share stolen information on the Dark Net, an underground marketplace on the Internet where information is shared with malicious intent. Information can be traded, sold or accessed between different agencies in order to discredit someone, or for state-sponsored attacks, according to Ymir Vigfusson, assistant professor of computer science at Emory University.

Penalties for cybercrime varies from state to state, according to the National Conference of State Legislatures. In Georgia, cybercrime laws penalize hackers with fines or jail time depending on the type of cybercrime committed. Additionally, victims can file civil lawsuits against perpetrators. But hackers have to be caught first, which is proving more difficult each year, according to Raconteur.

Last year more than 660 data breaches occurred in the United States, resulting in 22.41 million records being exposed without authorization, according to Statista. Of those data breaches, over 180 occurred in the medical and health care industry.

The U.S. Department of Health & Human Services’ Office of Civil Rights tracks the number of hospitals that have had a data breach that affects 500 or more individuals. The office is currently investigating more than 400 data breaches at health care institutions, including 10 in Georgia.

Two Georgia hospitals made headlines within the past few months.

In October, Gwinnett Medical Center reported a data breach that resulted in the information of 40 patients being posted on Twitter, according to the Atlanta Journal-Constitution.

Gwinnett Medical Center

A few months earlier, Augusta University Medical Center revealed that it had been the subject of cybersecurity incidents that potentially exposed personal information — like medical record numbers, diagnoses and medications — for about 417,000 patients, according to Healthcare IT News.

Experts say a person’s basic information, such as name, gender and phone number, may be exposed. Or in a significant breach, the leak may include personal information that people generally keep confidential, such their Social Security numbers, medical data and treatment information.

A look at what St. Mary’s is doing provides some insight into how hospitals are trying to address the issue.

The information technology department at St. Mary’s works in conjunction with Trinity Health to constantly update the technology that secures emails and software. That includes updating the filters that identify and delete spam, suspicious emails and malicious software, before those threats reach the end-users, said Mark Ralston, personal relations manager at St. Mary’s hospital.

Bogus emails are sent out by Trinity Health quarterly, and the purpose is so staff can learn “to not take the bait,” Ralston said. “They’re strictly for educational purposes,” he explained.

The hospital has targeted training for staff who work directly with patients’ protected health information, such as nurses and therapists. As well as the information technology department, especially those who work with medical records and patient financial services.

Other protocols are designed specifically to secure patients’ health information, such as frequent audits of who has access to the data and the encryption of mobile devices so that data is harder to obtain if the devices are lost or stolen.

“But hospitals and other health care providers have to remain vigilant against old-fashioned methods, as well,” Ralston added, “such as stealing laptops or jump drives.”

Vigfusson

Hackers often use phishing — sending fraudulent emails that appear to come from someone trustworthy — to lure users into giving up sensitive data. One of the reasons why hackers use this technique is because people are vulnerable when using technological devices, according to Vigfusson.

Employees use their personal cellphones or computers to check email or surf the Web. Hackers can use phishing to send malware, a piece of code that takes over the computer of an unsuspecting user.

Once an employee clicks a link in the email, or opens a rogue attachment, the malware embeds itself in the system.

“The hacker then has a direct foothold into the company,” Vigfusson said. “From this foothold, the hacker can attack other computers, take them over and add them to their network of zombie machines,” explained Vigfusson, who in 2013 co-founded a company named Syndis that simulates cyberattacks against large companies to help them improve their security.

What’s even more troubling is that many cyberattacks go unnoticed until well after the fact, Vigfusson said. Health care providers may not detect the initial breach until weeks or even months later, as in the case of Augusta University Medical Center.

The challenge for hospitals like St. Mary’s, Gwinnett Medical Center, Augusta University Medical Center and other organizations is to continually improve security by learning and incorporating new methods.

“The asymmetry between attack and defense makes security difficult,” said Vigfusson. “The hacker needs only to find one way into the company. But the company needs to protect against every possible way in.”

Alexandra Boss holds a bachelor of science in biology from Rhodes College in Memphis, Tennessee. She has worked as a scribe at Northside Hospital in Atlanta, an intern at Medscape and a graduate assistant for the Grady Sports Media Program. She is interested in the intersection of medicine and technology, and her current focus is on patient data privacy in the health care industry. She is a graduate student studying health and medical journalism at the University of Georgia.