Hackers gave the industry no other choice.
The year started with a massive data breach at Indianapolis-based Anthem Inc., which the health insurer revealed on Feb. 4. Hackers roamed around in Anthem’s computers for six weeks and stole personal and financial information of 78.8 million customers, as well as the information of 8.8 million customers at Blue Cross and Blue Shield plans not owned by Anthem.
There have been 269 data breaches at health care organizations this year, according to statistics collected through Dec. 22 by the Identity Theft Resource Center. That’s actually down from 2014, when health care organizations suffered 333 breaches.
But the number of records stolen has soared to 121.6 million records stolen, up from less than 8.4 million records in 2014. Even without the Anthem breach, there were still 34 million records stolen this year from health organizations.
The health care industry accounted for one out of every three breaches recorded by the Identity Theft Resource Center.
“They can and are trying to break into everything,” Doug Leonard, president of the Indiana Hospital Association, said of hackers. He added, “It’s really on everybody’s radar screen in the health care industry.”
In a survey released in August by consulting firm KPMG, 81 percent of health care executives said their organization had suffered a cyber attack in the previous two years and 13 percent said they were being attacked daily.
In late November, the bond rating service Moody’s said it would now consider cyber risk in its evaluation of health insurers and hospitals, among other businesses. Moody’s will not evaluate the cyber security readiness of the individual companies it rates, but it could use cyber security in stress-tests of companies, much as it does now with weather disasters or acts of terrorism.
“As cyber risk becomes more pervasive, it will take a higher priority within our analysis,” said Jim Hempstead, an associate managing director at Moody’s who was the lead author of a Moody’s cyber security report released Nov. 23.
The risk of a data breach are far higher now for health care providers since the 2009 stimulus act funneled more than $30 billion to help the industry digitize its patients’ medical records. Now the federal government actually penalizes health care providers if they don’t use electronic medical records.
Also, Moody’s noted, more and more medical equipment uses the Internet to send and receive information, making that equipment vulnerable to hacking—and possibly to patient harm or disruption of services.
“We believe the sector’s risk awareness is high, a credit positive,” Hempstead wrote in the Moody’s report. “Most hospitals have completed or are in the process of installing expansive, new patient information systems which likely have better safeguarding features than prior technology.”
Leonard, the president of the Indiana hospital association, said his organization purchased cyber security insurance for the first time this year, because the association receives some sensitive information from its members. It also organized some teleconferences on cyber security for hospitals around the state.
Still, he said, no one really feels adequately protected from hackers, who even breached the federal Office of Personnel Management this year and stole employment records of millions of federal employees, including CIA spies.
“They are probably all suitably worried that they are taking all the precautions they know how to take,” Leonard said, “but with the sophisticated attacks going on, I don’t think anybody feels adequately protected.”
Indeed, in an October simulation of a cyber attack among 12 health insurers, conducted by the HITRUST Alliance industry group, only two companies even consulted their pre-prepared incident report plans.
“I’ve seen a dramatic improvement,” Ray Biando, chief information security officer at Illinois-based Health Care Service Corp., told the FierceHealthPayer news service, “but we still have a lot of work ahead of us.”
<em>J.K. Wall is a health care reporter at the Indianapolis Business Journal and writes The Dose blog on the business of health care.</em>