As the recent American Medical Collection Agency data breach demonstrates, healthcare organizations must remain diligent about their cybersecurity practices. The AMCA breach exposed the information of nearly 20 million Quest Diagnostics and LabCorp patients, and the medical billing firm was forced to file for bankruptcy due to the expenses of notifying affected consumers and losing its largest customers.
That doesn’t mean Quest Diagnostics and LabCorp are out of the woods yet. Besides the financial implications, there is also reputational damage that can affect an organization long after news of a breach fades from the headlines.
Unfortunately, trust is hard to regain after a major breach, according to Andrew Boyd, M.D., associate professor in the department of biomedical and health information sciences and associate chief health information officer for innovation and research at the University of Illinois Hospital and Health Science System. Read on to see why he believes it’s important to invest in security to prevent healthcare data breaches from happening in the first place.
Editor’s note: This interview has been lightly edited for brevity and clarity.
Has the number of healthcare data breaches increased in recent years?
Andrew Boyd: Yes, there has been a growth in hospital breaches. Initially, it looked like individuals who were hacking into systems were targeting banks. If you ask bank robbers why they rob banks, it’s because that’s where the money is. But there is still lots of value in health data. There are active attacks on hospital networks, [but] there is also loss of laptop, unintended disclosures or an insider selling data.
Why is it so difficult for healthcare organizations to manage cybersecurity?
Boyd: One of the challenges health systems of all sizes are realizing is that as the banking sector and retail sector have increased their security, [hackers] are now moving to the health sector. What we saw in the other two sectors for the last 10 years is now happening on the healthcare side.
So, why is this hard? The average hospital can have between 500 and 600 different databases that are required to keep the hospital running. There are techniques and procedures to lock down the systems to make sure they’re secure and make sure you update the patches. [But] at the end of the day, it’s a matter of investing sufficient resources to keep your systems as safe as humanly possible. The reality of our situation is with a limited amount of resources someone could spend, there is no perfect lock. If you’re a billion-dollar hospital operation and someone wants to spend two billion to hack your system, there’s a differential in size.
Do healthcare organizations, then, need to spend more on security measures?
Boyd: Speaking of healthcare in broad stripes, healthcare — as a total amount of expenditures — spends the least on information technology than any other field. I believe it’s 3% or 4%. Even automotive manufacturers and retail spend 10% or 15% of their total revenues in technology. Granted, the pie for healthcare is several trillion dollars, [so] it’s still a lot of money. But when you consider the average amount of every dollar spent in a hospital or outpatient center — not just on security, but all technology — it’s much smaller than any other industry.
Do healthcare organizations still have to worry about traditional attacks, or are there new methods to be aware of?
Boyd: Because of data connectivity, we open up a whole host of potential security threats. One of the challenges with security threats is you have standard policies and process, you have standard updates and patches, but the truly innovative hacks into the healthcare systems are through ways you don’t necessarily think about. I heard one where they hacked into the vending machines in a [university] and then went after the bigger system. You have to do all the best practices like two-factor authentication, but you also have to be thinking what else. What’s truly connected to the network?
What are the business implications of a healthcare data breach?
Boyd: One, to regain the trust is hard. Two, it depends on the marketplace. Quest Diagnostics and LabCorp have 80% of the market for lab testing nationwide. So, if Quest has a big breach and you want to use LabCorp, it’s sort of like if you’re in a town and there are two hospitals and one has a data breach, you go to the other one. If you’re in a place where there’s only one hospital or hospital system, you’re going to get sick and you have to go somewhere. So, part of it depends on the market. If you’re in a competitive marketplace, making sure that your security is as tight as possible in order to make sure you’re not the one who has the reputational damage is — besides the fines and all the other challenges — one of the best motivators to have individual hospitals and health sciences systems invest in this.
Reputation takes years to rebuild. The reality is, we built the internet based on trust. We assumed everyone on the internet would have good intentions and that’s not true. We’re still playing catch up.