Chinese Hackers Steal 4.5M Patient Records – Questions Arise About Healthcare Cybersecurity Efforts
Key Takeaway: Last week, Community Health Systems (CHS) had 4.5 million patient records stolen by a Chinese hacker group that possibly exploited the Heartbleed vulnerability. This event points to the greater issue of cybersecurity and healthcare. Are healthcare systems and providers prepared to deal with sophisticated cyber attacks?
Why It Matters: According to reports, CHS had unsophisticated systems in place that were not prepared to prevent this attack. The announcement caused outrage across Washington and brings a whole new level of scrutiny to the healthcare industry, as efforts to modernize the healthcare industry continue via the Health Information Technology for Economic and Clinical Health (HITECH) Act and provisions in the Affordable Care Act (ACA).
While it has not been confirmed whether the Heartbleed vulnerability is to blame, one security firm – TrustedSec – is contending that the hackers used Heartbleed to gain access to patient information. The vulnerability, announced in April, received a lot of attention because the open source software that encrypts data and provided access for the vulnerability had been used in many websites. Internet users everywhere were encouraged to change their passwords after sites patched the vulnerability to prevent access to their information.
On top of this announcement, Federal Agencies and Congress have also started to discuss the topic. Last week, the FBI spoke out about healthcare data security by sending a warning that healthcare systems are likely to be targeted by hackers. Read more about the announcement here (http://www.ihealthbeat.org/articles/2014/8/21/hackers-directly-targeting-health-care-organizations-fbi-warns). Meanwhile, Sen. Tom Carper (D-DE) wants to see more legal protections in place to respond to such cyber attacks because they affect not only people’s privacy, but cyber attacks also have greater implications for the national economy as well.
In Alabama, five former patients of CHS filed the first class action lawsuit against the company over the breach on behalf of any current and former patients. The lawsuit charges the Tennessee-based hospital chain with breach of contract, negligence, infringement of the Fair Credit Reporting Act and violation of privacy. The largest HIPAA settlement to-date was $4.8 million for New York and Presbyterian Hospital (NYP) and Columbia University (CU) for disclosure of 6,800 records. In this instance, a physician creating new applications caused patient information to be searchable on the internet. Both organizations agreed to take corrective actions after the discovery of the breach.
For those who are interested in learning more about what colleagues are doing to prevent cyber attacks, and discuss the challenges and latest trends in cyber security, please join CHIME for one of our upcoming regional LEAD Forums:
- New York, NY – September 15, 2014. Register here (http://www.cio-chime.org/events/forum/lead/index.asp?).
- Washington, DC – October 6, 2014. Save the Date!
- Houston, TX – December 9. Save the Date!
Legislation & Politics
Congress Responds to CHS Breach
Key Takeaway: In response to the breach of 4.5 million patient records at Community Health Services (CHS), a bipartisan, bicameral group of federal lawmakers have expressed the need for a renewed focus on cybersecurity.
Why It Matters: Members of Congress have joined the outcry following last week’s breach of 4.5 million patient records at CHS, which operates 206 hospitals across 29 states. The CHS breach, on the heels of the health.gov security concerns, has garnered attention from members of both the House and Senate.
Lawmakers have questioned the preparedness of entities to protect patient data and the need for additional regulatory action. Cybersecurity has consistently been a bipartisan issue in Congress.
Senate Homeland Security and Government Affairs Committee Chairman, Tom Carper (D-DE) called on Congress to work with the Administration and stakeholders to reform existing laws. He emphasized the need to comprehensively address serious cyber challenges to protect the nation’s critical infrastructure.
As the ranking member of the Senate Health, Education, Labor and Pensions (HELP) Committee, Lamar Alexander (R-TN) echoed Senator Carper’s concern. Senator Alexander expressed interested in convening healthcare companies and technology experts to see whether more federal assistance is necessary to prevent such attacks. In the House, Vice Chairwoman of the House Energy & Commerce Committee Marsha Blackburn (R-TN) viewed the breach as a demonstration that security of personal health information must be a top priority for the federal government.
More Testing, Renewed Focus on C-CDA to be Part of ONC Interoperability Strategy