“These threats are real,” Oscar Alleyne, senior adviser at the National Association of County and City Health Officials, said Tuesday during a panel in Washington. The breaches include malware attacks, computer thefts, unauthorized network access and other security breaches, according to a government database that tracks attacks in the health-care sector.
A recent trail of large-scale cyberattacks on the health-care industry exposed the vulnerability of the sector. Last year’s global WannaCry ransomware attack crippled parts of the U.K.’s National Health Service for days. In a 2015 hack, U.S. health insurance giant Anthem Inc. had about 79 million customers’ personal information exposed.
Along with detailed personal information like Social Security numbers, health-care hacks can include sensitive information about a patient’s medical history and treatment. In other cases, breaches can cripple a hospital or health system, preventing sick people from getting the care they need.
They can be a business risk, too.
“Of course, there’s privacy,” Axel Wirth, a technical architect at security firm Symantec Corp., said during the panel, “but there’s also intellectual property and business data. Your latest vaccine research could be compromised.”
In April, there were 42 reports of data breaches in the health-care sector, according to the Department of Health and Human Services database, which tracks cases where data from 500 or more people were affected.
That month, the California Department of Developmental Services reported that 12 of its computers, containing medical records of 582,174 people, had been stolen. A few days later, Inogen Inc., a medical-equipment company, said personal information of almost 30,000 customers was exposed after a hacker had gained access to an employee’s email account.
The attacks can get expensive: According to estimates Alleyne cited during the panel, a data breach can cost health-care providers more than $400 per patient.
“When I was a local epidemiologist, my county was 312,000-something people,” Alleyne said. “You multiply that out by records and see the significant cost.”
Anthem, the insurer, eventually agreed to pay $115 million to resolve consumer claims over its 2015 breach.
Health departments in counties and cities tend not to have sufficient defense mechanisms in place. Alleyne said only 33% of the local health departments in the association had plans on how to defend against a cyberattack. Only 23 conducted training on the issue, and only 8% participated in drills or exercises.