Hospital cyberattacks point to vulnerabilities in health care system


March 31, 2016 at 12:00a.m.

Associated Press

A cyberattack that paralyzed the hospital chain MedStar this week is serving as a fresh reminder of vulnerabilities that exist in systems that protect sensitive patient information.

That attack came a month after a Los Angeles hospital paid hackers $17,000 to regain control of its computer system and more than a year after intruders broke into a database containing the records of nearly 80 million people maintained by the health insurer Anthem.

In Anthem’s case, only a single password stood between hackers with a stolen employee ID and a chance to plunder the Blue Cross-Blue Shield carrier’s database, according to a federal lawsuit filed by customers over the breach.

Cyber criminals also have staged high-profile attacks in recent years against the federal government, retail chains and the adultery website Ashley Madison, among many other targets. But security experts say health care companies make especially inviting targets for a number of reasons.

The information they protect is more valuable on the black market than a credit- card number stored by a retailer. Health care cybersecurity also can lag behind measures taken in other sectors such as banking.

This can stem in part from a business emphasis on tight budgets and convenience over security. Health care companies also have to deal with an additional headache: multiple entry points into a system, with security quality varying among clinics, labs and hospitals that may have access.

Cybersecurity experts note that government guidelines for health care data protection also are light on details and standards. The federal law known as HIPAA tells health care companies when they can disclose a person’s records and to whom. It also requires them to protect the information.

But it doesn’t come with a lot of specific mandates for that protection, said Lee Kim, director of privacy and security for the nonprofit Healthcare Information and Management Systems Society.

Intruders cracked Anthem’s database sometime between the end of 2014 and the start of 2015 in a hack that still is under investigation. They gained access to Social Security numbers, birthdates and employment details for customers as far back as 2004, all key ingredients for stealing someone’s identity.