MEDICAL HACKS

CULTURE CHANGE COULD HELP HOSPITALS PROTECT INFORMATION-RICH DIGITAL HEALTH RECORDS

Data breaches have been the bane of giant companies including Yahoo!, Equifax and Target, to name a very few. But not even organizations committed to public health are immune.

In May, the Lubbock, Texas-based University Medical Center Health System discovered that a computer hacker had compromised one of its employee’s email accounts and stolen the electronic medical records of more than 18,000 patients. The same month, a hacker stole more than 100,000 medical records from the Boys Town National Research Hospital in Omaha, Nebraska.

The damages for these incidences and others are considerable: the Ponemon Institute estimated data breaches cost American hospitals an estimated $6 billion per year.

“There’s no question that the bad guys are ahead of the game on this,” says Corey Angst, professor of Management & Organization, who studies information technology systems and the health-care industry. “They’ve been very successful at illegally accessing data.”

Hackers have long targeted financial institutions and government agencies, but as hospitals have converted their records from paper to digital over the past decades — a transition encouraged by the Affordable Care Act — they have increasingly come under the same kind of cyberattacks. “Medical data is rich with information,” Angst says. “You not only get names, you get birthdays, insurance policy numbers, diagnosis codes, billing information.”

All of that information makes it easy for hackers to steal a patient’s identity and fraudulently open credit cards or loans. Hackers can also use the information to obtain bogus prescriptions for controlled substances or to blackmail a patient by threatening to reveal their rare health condition. Worst of all, most patients don’t even realize their health records have been compromised until it’s too late.

To guard against such data breaches, hospitals and health-care systems have invested billions of dollars in IT security systems. But simply installing antivirus software and fingerprint access codes isn’t enough, according to new research conducted by Angst, his Mendoza colleague Ken Kelley, the University of Alberta’s Emily Block, and the University of Delaware’s John D’Arcy.

By examining data from more than 5,000 U.S. hospitals between 2005 and 2013, the researchers determined that only hospitals that “substantively adopt” IT security technology can protect themselves against the skyrocketing number of cyber attacks. As opposed to “symbolic adopters” — hospitals that use IT security merely because it’s required of them or to burnish their public image — substantive adopters “make it part of their culture and the way they operate,” Angst explains.

“You can have the best technology in place, but unless people abide by the policy 100 percent of the time, they’re going to be just as susceptible to breaches,” he says. “It could be something as simple as an employee writing down a password and leaving it on a screen, or leaving a computer open without signing out. Any little gap like that is going to be an opportunity for hackers to do something bad.”

Angst compares hospitals that take IT security seriously to companies such as the chemical giant DuPont, where he worked for three years before going into academia. “I worked in the engineering office, not the plant, but the safety culture permeated everything we did,” he says. “If you weren’t holding the rail when you walked up a flight of stairs, someone could report you. Substantive adopters of security practices have to live it and embrace it.”

Angst and his colleagues also used their data to study which kinds of health-care institutions were doing the best job of protecting against data breaches. They found that older, smaller, faith-based and for-profit hospitals were more likely to be symbolic adopters, while newer, larger, secular, nonprofit hospitals were more likely to substantively adopt IT security systems.

But even the best-protected hospital systems are failing to keep up with the pace and sophistication of cybercriminals, the researchers found. And since they based their analysis on the number of data breaches reported by the hospitals themselves, Angst admits that the problem could be even bigger than we realize — after all, it’s widely estimated that 9 out of 10 breaches go undetected. Angst recommends that hospitals hold regular, staffwide training sessions to ensure all employees know the correct data security procedures.

“The truth of the matter is that hospitals themselves may not know when they’ve deflected a breach,” Angst says. “All we see is when the hack is successful.”

By Corey Angst

Illustration by Greg Mably