Health Care Tech Comes with Cyberrisks

As health insurance, IT and tech companies deal with more and more data, the potential for hacks and other cybersecurity breaches is growing.

2016-01-kaitlin-ugolik-health-cybersecurity-large.jpg

The technological revolution has finally come to health care, and it is manifesting itself in ways that make tracking and treating disease easier and more efficient. Millions of patients who might not have known how to access their own medical records several years ago can now use a provider’s online web portal to see test results and communicate with doctors. Sensors can deliver real-time information to physicians about patients’ heart rate, respiration or blood glucose levels, and individuals can keep track of their own nutrition and physical activity to share with doctors for a more complete picture of their health. Digitization and technology-assisted communication are undoubtedly positive things for health care, but the more they are used, the greater the risk that someone other than doctor and patient will get hold of the data.

Patients’ personal information is increasingly vulnerable to data breaches, causing trouble for individuals as well as the companies in charge of keeping that data safe. A problem often attributed to retail companies and banks, the threat of a cyberattack that exposes thousands of individuals’ personal information is also an imminent one for companies operating in the health care industry, from insurance companies to electronic medical records firms and even to operators of trendy health-tracking software and products.

“Health care organizations need to control costs, and technology is going to be one way to do that,” says Caroline Clouser, executive vice president of the health care segment for insurer Chubb Group. “But with that transformation comes new exposures that we haven’t faced in the past.”

These exposures include criminal attacks, in which hackers go out of their way to find and steal information, and situations of negligence in which an employee might damage a hard drive, lose a laptop or make something public that is protected by the Health Insurance Portability and Accountability Act (HIPAA) or other laws or internal regulations. These hacks and breaches compromise patients, but they also have significant financial implications for companies, which must put resources toward preventing them and, in the event that they happen, spend heavily to manage their reputations, pay any applicable fines or penalties and, in some cases, settle claims by customers.

“Among other things, patients whose electronic medical records have been shared publicly may begin to seek indemnification,” says Clouser.

With all of the big retail breaches in the headlines — from Target Corp. to eBay — the risk to health care companies and their customers is often understated. In a 2015 study by New York–based audit and advisory firm KPMG, about 80 percent of executives at leading health IT companies said their firms had been compromised by a cyberattack in the previous two years, whereas 3 percent said they weren’t sure if their computer systems had been compromised. One quarter of respondents admitted that either their firms didn’t have the ability to detect breaches in real time, or they weren’t aware of such capabilities.

Michael Ebert, head of KPMG’s health and life sciences cyberpractice, said at the time of the study that he believed actual numbers were likely much higher. Patient information can be worth even more to hackers than credit card numbers, which can be changed quickly once a breach is detected. It’s much more difficult to change a name, Social Security number or diagnosis code.

The health care industry has been slow to adopt technology, but now that it’s plugged in, the innovations are coming so swiftly it has been hard to keep up with the dangers.

“Advancements in technology are moving at such a rapid clip, it’s very difficult for security to keep pace,” says Stephen McCarney, vice president of marketing at application protection software firm Arxan Technologies. The Bethesda, Maryland–based company recently completed a survey that found that 86 percent of the top health-related applications on iTunes and the Google Play store had at least two major vulnerabilities: lack of binary protection — meaning the code can be tampered with and potentially reverse-engineered or reprogrammed to do things it wasn’t intended to do — and insufficient transport layer protection, which protects network traffic. Arxan also surveyed the creators and users of the apps, who, McCarney says, tended to far overestimate their security. And the real kicker for companies: 80 percent of those who use health care apps said they would change providers if they knew their app was not secure, and 83 percent would switch if they knew a similar provider had a more secure mobile health app.

“What this tells me is that even without an attack, security is an increasingly important decision-making factor,” McCarney says. “We’re moving the bar away from just keeping bad guys out, so companies want to look at security as a potential way to gain competitive advantage.”

The pain a company feels from a breach may depend on their existing brand loyalty, however. In February 2015, Anthem Blue Cross and Blue Shield, the second-largest health insurer in the U.S., announced that personal information belonging to up to 80 million customers had been stolen, including names, addresses and Social Security numbers. Analysts predicted at the time that the breach would cost Anthem upwards of $100 million, but the company’s stock price barely budged. In a postbreach survey conducted by Wedbush Securities, just 6 percent fewer respondents preferred Anthem BCBS over other insurers than before the breach, accounting for 8 percent who lowered their opinion and 2 percent who were so impressed with how the company handled it that their opinion of Anthem actually improved. Companies with less brand loyalty, such as many electronic medical record managers, might not be so lucky.

“I don’t think the forgiveness factor would be as positive for EMR companies,” says Sarah James, a health care equity research analyst at Wedbush. “BCBS has a high brand value, and I believe that helped. It also helped that Anthem’s response was big and fast.” Anthem quickly informed federal authorities of the breach, informed customers and the public in a timely fashion and hired experienced consultants to help sort out the mess.

There are tools that can help combat these risks, such as end-to-end encryption software, which transmits encrypted data that can only be unlocked by someone with a so-called key from the same piece of software. And whereas credit card companies use a common system for processing transactions that is recognized by all of the major players, the permission, or mandate, for this does not currently exist with regard to health information. These types of systems are effective — Apple swears by end-to-end encryption — but very expensive.

Experts say existing privacy regulations, such as HIPAA, may be doing more harm than good, adding complexity and cost that holds the health care industry back from making headway in cybersecurity. Regulators rely heavily on past experience to govern transactions and data transfers that are happening in new, never-before-seen ways, according to Monica Eaton-Cardone, founder and CIO of Dublin, Ireland–based chargeback fraud recovery and loss prevention firm Global Risk Technologies. “Regulatory boards are hard-pressed to keep pace with evolution,” she says.

Follow Kaitlin Ugolik on Twitter at @kaitlinugolik.

HIPAA Caroline Clouser Monica Eaton-Cardone Stephen McCarney Kaitlin Ugolik