As new technology has enabled people to communicate and exchange data in a vast network called “the internet of things,” cyber security threats have become an increasing concern for health care organizations, according to industry experts.
Just last month, two health care facilities in Los Angeles County announced they had been attacked by ransomware, a computer virus that disables systems and then demands money in return for restoring access.
Hollywood Presbyterian Medical Center staff discovered that the hospital had been subject to a ransomware attack in early February after staff began having trouble accessing the hospital’s computer network.
According to a statement from the hospital, the malware locked access to computer systems and prevented the hospital from sharing communications electronically.
The hospital was forced to pay about $17,000 (40 bitcoin) to obtain a decryption key and restore its medical record system. While the ordeal lasted nearly two weeks, the hospital stated that, “patient care has not been compromised in any way.”
Also last month, the Los Angeles County Department of Public Health found “remnants” of a ransomware thread on a handful of computers in its system during a regular check of the department’s network.
Though the issue was resolved without the county having to pay a ransom, the health department’s spokesperson, Michael Wilson, told the Business Journal that health care organizations should be prepared for such cyber attacks that have increased since the beginning of the year.
“Globally, certainly there’s been an uptick since the New Year in these kinds of attacks against health care systems,” he said. “Health care systems need to be prepared and have the appropriate security measures in place to protect against these types of things.”
Wilson said the county, which has 23 departments, successfully prevents more than 20,000 malware attacks on its information technology (IT) infrastructure every day, adding that, out of more than 500 million inbound e-mails a year, 88 percent are blocked because they contain malicious software.
Research shows that cyber attacks – often motivated by financial, notoriety or geopolitical gains – on health care organizations have been on the rise in recent years.
Last year, about 35 percent of all registered data breaches in the United States targeted medical companies (the second most breaches of any sector), according to a report by the San Diego-based Identity Theft Resource Center.
In addition, a global survey conducted last year by PricewaterhouseCoopers (PwC) reported that the number of security breaches among health care providers internationally jumped 60 percent from 2013 to 2014, almost double the increase seen in other industries, with a nearly 282 percent increase in financial losses.
Though representatives of some local health care organizations declined to comment to the Business Journal about cyber security for fear of increasing vulnerability, most officials said health care organizations are spending more time and money on the issue.
Long Beach-based Molina Healthcare, which is responsible for records of more than 4 million current members in addition to past members, has made sizable investments to protect data from cyber attacks, stated Sudhaker Gummadi, vice president of IT security for Molina Healthcare, in an e-mail.
Sudhaker Gummadi is vice president of IT security for Long Beach-based Molina Healthcare, which has made sizable investments to protect data and records of more than 4 million members from cyber security attacks.
The health care provider has invested in “workforce security awareness training, the latest technology and tools to monitor its network, end points and data as it is used within and outside the enterprise,” he told the Business Journal.
Molina also has teams dedicated to preventing, detecting and addressing cyber attacks, Gummadi said, adding that the company has put in place a “cyber defense center” and works with third-party service providers to ensure they are properly handling shared data.
“The threat to organizations is real, and all organizations are the target of attack by malicious entities,” he said. “The concern has earned the attention and support of all workforce members at Molina Healthcare, from executives to the rank and file, in providing quality care for our members and our brand. Because of this concern, Molina Healthcare has invested in people, a good process and the use of the latest cyber security technology commensurate with the latest cyber security threats.”
Bryan Sastokas, chief information officer (CIO) and director of the City of Long Beach Technology and Innovation Department, said cyber attacks come in many different forms. Hackers often try to gain access, infiltrate or take down websites externally through spam e-mails with false links or other phishing schemes.
Bryan Sastokas is chief information officer and director of the City of Long Beach Technology and Innovation Department.
“[E-mails] that look very professional or have an official nature cause the user to activate that Trojan horse or malicious software that would be imbedded in those links,” he said.
There are other situations where computer systems might become infected internally, such as through a disgruntled employee who might implant a virus in retaliation to being disciplined or terminated, Sastokas said.
He added, however, that most viruses come through “benign” or “seemingly passive interactions,” such as through e-mails.
“When you’re on the Internet and connected you’re exposed to those types of threats,” Sastokas said. “These things can happen from any venue from almost anywhere in the world.”
While technological advancements may make operations more efficient and cost effective, public and private sector organizations often have to weigh the potential security risks associated with new technology, he said.
“It’s always a challenge as you try to expand your network,” Sastokas said. “We really want to make sure things are encrypted and want to make sure information that is shared does not fall into the wrong hands.”
He said the key to preventing cyber attacks in any organization is education and training.
Sastokas, who previously worked in IT for insurance firm John Hancock Financial, noted that many private and public sector organizations are already required to have policies and systems in place to safeguard personal identifiable information, such as medical history, social security numbers and credit card numbers.
Health care organizations are required to follow the Health Insurance Portability and Accountability Act (HIPPA) that protects the privacy and security of health information.
The Long Beach Health and Human Services Department has an officer dedicated to ensuring that the health department is in compliance with HIPPA laws, said the department’s director, Kelly Colopy.
The health department, which has not reported any major cyber attacks or security breaches in recent years, is also protected under “firewalls” and “encryption” systems that secure personal information for all departments in the city, she said.
“We follow all the HIPPA privacy laws and all the best practices to make sure our systems are encrypted,” Colopy said. “The city has a very strong infrastructure and is always being tested.”
Still, even large companies that invest heavily in cyber security can become a victim of a cyber attack, such as Sony Pictures Entertainment that was hacked in 2014, as hackers are always finding new ways to breach systems, Sastokas said.
“We make sure we try to do our best effort in providing the necessary security testing for any deficiencies that might be both internally or externally within the city,” he said. “You’re never going to be 100 percent protected. You try your best because it’s always a changing, evolution of threats that are out there.”
Sastokas said it’s important for cyber attacks to be publicized when they occur so public and private organizations can learn from one another.
Reena Vaswani, president of E.K. Associates, that provides cyber security and IT services for the Port of Long Beach, said public and private organizations should regularly check systems and run a full “penetration test” at least every six months.
Reena Vaswani is president of E.K. Associates, which provides cyber security and IT services for the Port of Long Beach.
“If there are a lot of servers, every time they upgrade, new patches come up and your network is going to change,” she said. “It’s always updating . . . It’s not just a one-time thing . . . You have to be on it every six months and do the same activities so that your network is safe.”
In addition to risks of personal information compromised, cyber attacks are also a concern for health care organizations because of the threat to patient health, experts said.
A recent report by Texas-based Independent Security Evaluators (ISE) that assessed 12 health care facilities from January 2014 to January 2016 found that hospitals and health care organizations in the study were ill prepared in protecting patient health from a potential cyber attack.
The report titled “Securing Hospitals” states that health care organizations are using the wrong approach to address cyber security by focusing more on shielding medical records rather than protecting the health of patients, which is the primary “asset.”
Also, many hospitals are now using wireless or remotely operated medical devices, such as insulin pumps and heart rate monitors, which if compromised by adversaries pose more risks to patient health, according to the report.
“I think the overall conclusion is that patient health is at great risk and that’s because we have had an outdated approach to how we address security in health care,” Geoff Gentry, director of healthcare for ISE, told the Business Journal. “What is currently driving the security mission of hospitals is patient records and what needs to drive security mission of hospitals is patient health.”
He noted that, in the case of ransomware, even if a health care organization’s network has been restored after being compromised, it might not be able to be used again since malware may still be hidden somewhere in the network.
Providing a blueprint for the health care industry to address cyber security, ISE states that it’s important for hospitals and medical professionals to evaluate the security level of medical devices and new technology before purchasing or using them rather than relying on large brand-name companies.
“One of the problems is that hospitals purchase equipment from major brands and they rely on those companies to ensure that those devices are secure,” Gentry said. “Instead of purchasing devices and not knowing if they are secure before you buy them, you should do your due diligence prior to that purchase and deployment, whether that’s through a third party evaluation or an internal security team.”