Why some patients are losing trust in the health care cybersecurity—and how that could change how much you pay for care.

The patient hesitated.

Eric—not his real name—had come for an appointment at his regular health care clinic, where he’d been a patient for years.

The worker at the desk wanted to scan his driver license. The clinic had done the same thing the year before.

“The woman that asked me for this said it was part of their procedure, and she did not know what happened to past one that had been scanned,” Eric said.

But Eric was concerned. Did they really need to store a copy of his personal ID—especially when they were unsure of the location of the last year’s scan? 

“It makes me nervous because I hear all the time about fraud, misuse of information and information getting stolen or lost, especially in medical offices,” he said to Archer News.

A patient said he is concerned that his doctor’s office required a scan of his driver license to receive care. Image via Pixabay.

He talked to the clinic manager, who gave him a pamphlet about privacy—and some words of warning.

“The office manager told me, ‘If you refuse to provide this to us when we ask, then you won’t be seen in this clinic,’” Eric related. 

But with breach after breach of health care data, and hospitals falling victim to ransomware, Eric is not the only patient worried about losing his information through his doctor’s office.

“Yup,” said Lee Tien, senior staff attorney with the Electronic Frontier Foundation, a non-profit digital rights group. “It’s a big problem.”

And it turns out, it’s a big problem that could ultimately change how you get health care—and how much you pay for it. 

The Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in ransom to get their files back after a cyber attack. Image via Wikimedia Commons CC0 1.0 Universal Public Domain Dedication.

Losing your data

Attackers like your password and credit card number. But they may like your medical records even better, said Satyamoorthy Kabilan with The Conference Board of Canada, a non-profit research organization.

“The value of the complete health record with all this detailed information on a person is incredibly high, said Kabilan.

Valuable to hackers, valuable to you. Still, health care companies have lost people’s data, sometimes in massive quantities.

Cyber invaders stole account info for 90 million Premera Blue Cross and Anthem health insurance customers in 2015, according to the U.S. Department of Health and Human Services.

Anthem building in St. Louis, Missouri. Malicious hackers stole millions of customer records in 2015. Photo credit: MattHurst via Foter.com / CC BY-SA

In 2016, attackers took more than two million people’s records from 21st Century Oncology, 3.6 million from Banner Health, and 3.4 million from Newkirk Products, a company that makes health care ID cards, HHS reported—just three of more than 300 health care breaches that affected more than 500 people last year.

Ransomware is hitting hospitals as well, with Hollywood Presbyterian in Los Angeles paying $17,000 to get its computers back in February, and Kansas Heart Hospital in Wichita paying ransom in May, only to have the attackers demand more money before decrypting all of its files.

Analysts predict 2017 will also be grim.

“Health care organizations will be the most targeted sector with new, sophisticated attacks emerging,” said Experian in its 2017 Data Breach Industry Forecast report.

Johns Hopkins University in Baltimore, Maryland. Newkirk Products—a company breached in 2016—was a service provider for Johns Hopkins Employer Health Programs, which served students at the university.

Who’s responsible?

It’s not your doctor’s fault, Tien said.

“I can’t tell whether my machine is secure. You probably can’t. Your doctor can’t and I want her or him treating patients, not testing computers,” he told Archer News.

“It’s not usually the thing that we teach them when you go to medical school or nursing school,” said Kabilan.

Push for e-records

The underlying problem, according to Tien, is that the U.S. government pushed for electronic health records and “big data” in medicine, but did not push for security.

Though digitizing records can have great benefit for health, there is also a downside.

“That made everyone take something that was on pen and paper and move it to the electronic realm,” said Denise Anderson, president of the National Health Information Sharing and Analysis Center, or NH-ISAC. “But there was no talk of security.”

“That in effect made everybody’s health records available to the criminal, and now we’re going behind and ‘chasing our tail,’ so to speak.” she added.

The push to move paper medical records to electronic media gave rise to more vulnerability of health data, experts say. Image via Pixabay.

Complex

Some health care providers are using old equipment or systems.

Add to that the rapid innovation in health care technology, like blood pressure meters that send your health data to your smart phone, and a pill you swallow that can talk to your nurse.

“Even that level of communication is going to make those devices vulnerable,” said Anderson.

Plus, you need to have some health information accessible quickly, and iron-clad security could slow things down, said Kabilan. 

“If you turned up in the ER, would you want to have a nurse take three hours and 17 passwords to be able to find out your blood type?” asked Kabilan. “Or would you want the nurse to be able to take a fingerprint and—bam!—know it right there?”

The problem is complex. “There is no simple answer for this,” he said.

Technology developments allow some blood pressure monitors to send data to your phone or to your health care provider. Image via Pixabay.

Resources?

The non-profit NH-ISAC works to share cybersecurity information among health care providers around the country so they can better prepare.

The group warns organizations about phishing, data theft, hacktivism, ransomware, espionage, terrorism and more.

They share solutions, such as keeping an MRI machine with old, vulnerable software separate from the Internet, so hackers can’t mess with MRI data or treatment.

“The big players in the field have good ‘best practices’ in place,” said Anderson. “They’re fairly sophisticated in their stance. But there’s a lot of really small players in the health care sector that either aren’t aware of the situation or don’t have the resources in place or the funding in place to do many of the things that are considered best practices.”

“That’s a goal—to help smaller players in the sector—that we can do,” she said.

If a medical device like an MRI machine runs on old software, medical centers can isolate them from the Internet to prevent hacking, experts say. Photo credit: Liz Henry via Foter.com / CC BY-ND

Basic mistakes

Most health care providers want to be secure, according to Anderson.

Some, however, make brutal, basic mistakes.

The University of Massachusetts Amherst agreed to pay $650,000 in November for allegedly violating the Health Insurance Portability and Accountability Act Privacy and Security Rules. HHS said UMass didn’t have a firewall—a basic security protection—in place in 2013, allowing malicious hackers in to steal personal medical data.

In July, Oregon Health and Science University in Portland agreed to pay $2.7 million for its alleged HIPAA violations that lead to “significant risk of harm” to more than 1,000 patients in a breach, HHS reported, calling the problems “widespread and diverse.”

In June, Catholic Health Care Services of the Archdiocese of Philadelphia said it would pay a $650,000 fine for a breach in which an employee’s phone was stolen. The phone held patient data, including Social Security Numbers, diagnosis and treatment info and more, but it was not encrypted or password-protected.

University of Massachusetts Amherst. The university did not have a firewall in place to protect personal medical data & paid a fine, according to HHS.

Nervous

All this leaves some patients nervous about handing over their crucial personal information. 

“Seeking medical care in itself can be stressful and we don’t need you to do things that make us be in more fear,” Eric said. “That is not good medical practice.”

Archer News checked in with Legacy Health—the organization that runs Eric’s clinic in Portland, Oregon—about his concerns, keeping his name anonymous at his request.

“I appreciate where the person is coming from,“ said John Kenagy, chief information officer at Legacy, among other roles at the organization. “Your readers, they’re not being paranoid.”  

Kenagy said Legacy works constantly to defend against cyber criminals, testing its systems, training employees, deploying special technology, monitoring incoming and outgoing Internet traffic, conducting risk assessments and audits, and making sure the organization meets HIPAA requirements for security and privacy.

“Not only am I the CIO of Legacy, but I’m also a patient, and a parent and spouse of patients. I take that security really, really seriously,” he said. “We all feel a moral obligation and many of us, a personal obligation.”

Legacy Emanuel Medical Center in Portland, Oregon, part of the Legacy Health system. By M.O. Stevens – Own work, CC BY-SA 3.0 

Legacy sends test phishing e-mails to workers to see if they will click on a malicious link, and if they do, they receive extra information and training, he said. 

Also, employees are not allowed to use personal e-mail at work.

“That was extremely unpopular, but it closes a hole. We attempt to be one step ahead of the bad people,” he said. “We’re very, very concerned about it.”

Legacy Mount Hood Medical Center in Gresham, Oregon, part of the Legacy Health system. For security reasons, Legacy employees are not allowed to use personal e-mail at work, according to the CIO. By M.O. Stevens – Own work, CC BY-SA 3.0 

License scan?

As for Eric’s driver license, Shannon Kennedy, Legacy’s chief compliance and privacy officer, said she knows of no policy requiring a license scan.

Showing ID, however, is crucial, she said.

“One of the biggest pieces of evidence that we rely upon when we have a medical ID theft situation is being able to take a look at a copy of a person’s ID,” she explained to Archer News.

“I would say it’s a standard practice, and again, the practice is to make sure we’re validating a person’s identity when we’re providing them with a service,” she said.

With Medicare the situation may be different she said, as Medicare requires a subscriber ID number, which uses part of a patient’s Social Security Number, Kennedy said.

Other than that, if a patient does not want their ID scanned?

“No problem, we don’t have to copy their ID. Make sure you validate that they say they are who they say they are,” she said.

Patients should receive the phone number for privacy officer, so they can call if they have questions about requirements and policies, she added. 

“I wish consumers and patients particularly knew that they really do have access to an expert who can answer their questions,” she said.

Legacy Health provides a hotline for patients to call with questions about their personal data.

Trust

Eric did receive that number from the office manager and a suggestion to call if he wasn’t happy about the policy. But it was too late—his trust was already gone. 

“I chose not to because I knew I would not get anywhere with that office either,” he said.

 Trust is vital, according to Kabilan.

His team conducted research into the future of technology and health care. Their scenarios showed that major breaches could erode trust so much that the public no longer believed that using heath care technology was beneficial.

“What we saw was a future where the cost of medical care goes up and quality of care goes down,” Kabilan told Archer News.

“For the sake of our own health care future, we have to make sure that trust isn’t destroyed,” he said.

Researchers say lack of trust in medical cybersecurity could lead to a future where the public does not accept new developments in health care technology.

What can you do?

Ask questions, experts say. You might start with the privacy officer at your health care organization.

“Asking questions raises awareness,” said Kabilan, who also suggested asking questions of the regulatory authorities enforcing cybersecurity rules for health care facilities.

“Raising awareness is great,” echoed Tien.

Tien said legal action and class action lawsuits will help health care organizations change their security practices.

As for Eric, he encourages speaking up about your health care security concerns, instead of silently and nervously following every demand.

“I think we comply too much in general and need to question things that don’t seem/feel right and get more information,” he said.