Over those years, the number of Californians whose personal records were breached through loss or theft grew from 2.6 million in 2012 to 24 million in 2015, whether at hospitals, insurers, retailers, financial institutions or other places where sensitive data is stores. Health care and insurers played a big role, though: That 24 million includes 10.4 million breached in a hack attack on health insurer Anthem, and 4.5 million in another attack on UCLA Health.
The health sector has improved its use of strong encryption on hardware devices, the report notes, and while those kind of breaches have declined, health care still is “lagging behind other sectors” in securing devices.
But cyberattacks on large databases are growing in all industry sectors, with far more personal records available than might be found on a smartphone.
Cybersecurity challenges in health care aren’t just confined to California — hospitals, insurers, doctors’ offices, pharmacies, and medical device manufacturers all face the possibility of data breaches. A security firm recently reported that its team was able to hack into patient monitors and medicine-delivery systems at hospitals in the Baltimore and Washington, D.C. region.
Health organizations face a unique challenge when it comes to shoring up their cybersecurity, said Dan McWhorter, vice president and chief intelligence strategist at Fire Eye, a cybersecurity firm based in Milpitas.
Health care providers and insurers keep on hand massive amounts of highly sensitive personal medical data as well as financial data. Breaching that data can result in serious violations of privacy, economic harm and even physical harm to patients, if treatment technology is compromised. These organizations need to protect that confidential information while simultaneously sharing it with other providers to coordinate patient care and payment, McWhorter said.
Health care mergers that involve combining data among large companies have made data protection even more complicated, he said.
Moreover, hospitals have many visitors, in contrast to other companies that can limit access only to employees. And they work with many “trusted third parties” such as insurers and medical device manufacturers, with online connections to their data, McWhorter said.
McWhorter said he was able to compromise the website of an infusion pump manufacturer, giving him potential access to 15 different medical organizations.
“There are industries that are more heavily targeted (by cybercriminals) than health care, but the impact (on people) is much, much greater,” McWhorter said. “What’s happening is that cyber-attacks are becoming a better way to do malicious things without risk, rather than running into a shopping center and shooting people.”
This story was produced by Kaiser Health News, which publishes California Healthline, a service of the California Health Care Foundation.