Privacy advocates are up in arms about the latest data breach, in which hackers walked away with 4.5 million patient records after breaking into servers at Community Health Systems (NYSE:CYH), a national hospital operator that recently acquired competitor Health Management Associates. The theft, which included patient names, addresses, social security numbers, and patient's dates of birth, marks the latest in a string of data thefts at high-profile companies, perhaps most famously the department store chain Target.
It's likely this won't be the last theft of patient records. The hospital industry is waist-deep in shifting away from its decades-long reliance on metal file cabinets to electronic records that can be shared between a patient's healthcare providers. Since the healthcare industry will continue to implement more of these electronic systems, let's learn more about them.
First, a bit of background
Healthcare has maintained its pen-and-paper record system long after other industries, like banking, have shifted to computers. However, the industry has hastened to make up for lost time in order to take advantage of government regulations designed to accelerate the adoption of electronic health record, or EHR, systems.
In 2009, the U.S. Congress passed the Health Information Technology for Economic and Clinical Health, or HITECH Act. That act includes a slate of carrot-and-stick rewards and punishments for healthcare institutions based on their adoption of healthcare IT systems. Those who implement such systems receive bonuses, while those who fail to achieve certain levels of meaningful use of such systems see their Medicare reimbursement rates fall.
The passage of the HITECH act has kicked off a flurry of activity, and proven a boon to dozens of companies, including market share leaders Epic Systems, Cerner Corp., and McKesson, which have stepped in to serve the industry.
The majority of major hospital systems have already implemented EHR systems in order to benefit not only from government incentives, but from promised gains in efficiency and patient care. EHR systems offer a variety of opportunities for major systems to record, track, and evaluate patient health, not only individually, but also across larger patient populations.
Records can be shared with primary and specialty care physicians to quickly identify potential risks, such as drug interactions, or genetic markers that may help determine which specific medicine to prescribe. These records can also serve as a treasure trove of analytic data that can be aggregated and broken out by an endless combination of characteristics that may give doctors important insight into what therapies produce the best outcomes.
Those advantages, however, also come with risk. Paper systems are segregated and put in a silo, which means that private data is harder to steal. And because EHR systems possess such important -- and sensitive -- information regarding individuals, the move toward them is exposing patients to a far greater risk of being targeted by data thieves.
A big-time breach
The theft at Community Health Systems includes data from patients treated at any of its more than 200 hospitals during the past five years. Data thieves could conceivably use the patient data collected during this heist to steal patient identities by opening credit cards, or taking out loans in patients' names.
According to the company, cyber security experts it hired determined that the data breach came from hackers in China that broke into Community Health Systems' network at some point between April and June.
The future of securing cyber records
According to Reuters, the FBI issued a warning to healthcare providers in April that their networks could be increasingly targeted by data thieves because their systems are protected by generally less sophisticated anti-intrusion technology than other industries, including banking and retail. The reason for that stems from the industry having a much different goal than these other industries. While banks and retailers are happy to keep the data safely embedded within their own networks, healthcare institutions are keenly focused on sharing their data across networks. That inherent difference opens the door for more potential ways for hackers to gain access to patient data.
Adding to the appeal of healthcare records to hackers is that healthcare data may be more valuable, given that it can potentially be used to fill fraudulent prescriptions for controlled substances like opiates. According to Dell SecureWorks, cyber criminals were getting just $1 to $2 for credit card numbers last year, but were getting closer to $20 for health insurance credentials.
As a result, while the healthcare industry will deploy counter measures to reduce the risk of intrusions, hackers will also continue to target everything from Internet-connected medical devices to online printers to get their hands on the information. According to cyber security experts at SANS, a study designed to determine the level of risk to healthcare IT systems from hackers determined that healthcare providers, like hospitals and private practices, were the main target of would-be thieves, representing 72% of all the malicious traffic identified in the study.
Fool-worthy final thoughts
While hackers did walk away with sensitive data, they failed to get their hands on patients' more detailed health records or payment information. Patients who find they've had their identities stolen due to the breach could conceivably sue Community Health Systems under a federal health records protection law; fortunately, the company has insurance to pay for just such an eventuality.
And patients worried that their data could still be stolen by the same malware used this spring at the hospital chain can relax, at least for now. The company claims it has fully removed the malicious software the hackers used from its systems. Regardless, it's likely EHR systems are here to stay given their potential to streamline and improve care, and that means we're likely to see more attempts to steal that data in the future.