Indiana health care execs focusing more on IT security

2015 was the year health care got serious about cyber security.

Hackers gave the industry no other choice.

The year started with a massive data breach at Indianapolis-based Anthem Inc., which the health insurer revealed on Feb. 4. Hackers roamed around in Anthem’s computers for six weeks and stole personal and financial information of 78.8 million customers.

There have been 269 data breaches at health care organizations this year, according to statistics collected through Dec. 22 by the Identity Theft Resource Center. That’s actually down from 2014, when health care organizations suffered 333 breaches.

But the number of records stolen has soared to 121.6 million, up from less than 8.4 million records in 2014. Even without the Anthem breach, there were still 34 million records stolen this year from health organizations.

In Indiana, the number of data breaches at healthcare entities jumped from five last year to nine this year. And the number of records stolen spiraled to 4.3 million, up from about 69,000 in 2014. Among the Indiana organizations suffering a breach were Medical Informatics Engineering, Community Health Network, St. Vincent Medical Group, the Indiana State Medical Association and Aspire Indiana.

“They can and are trying to break into everything,” Doug Leonard, president of the Indiana Hospital Association, said of hackers. He added, “It’s really on everybody’s radar screen in the health care industry.”

In a survey released in August by consulting firm KPMG, 81 percent of health care executives said their organization had suffered a cyber attack in the previous two years and 13 percent said they were being attacked daily.

In late November, the bond rating service Moody’s said it would now consider cyber risk in its evaluation of health insurers and hospitals, among other businesses. Moody’s will not evaluate the cyber security readiness of the individual companies it rates, but it could use it as the trigger for stress-tests of companies, much as it does now with weather disasters or acts of terrorism.

“As cyber risk becomes more pervasive, it will take a higher priority within our analysis,” said Jim Hempstead, an associate managing director at Moody’s who was the lead author of a cyber security report released Nov. 23.

The risk of a data breach are far higher now for health care providers since the 2009 stimulus act funneled more than $30 billion to help the industry digitize its patients’ medical records. Now the federal government actually penalizes health care providers if they don’t use electronic medical records.

Also, Moody’s noted, more and more medical equipment uses the Internet to send and receive information, making that equipment vulnerable to hacking—and possibly to patient harm or disruption of services.

“We believe the sector's risk awareness is high, a credit positive,” Hempstead wrote in the Moody’s report. “Most hospitals have completed or are in the process of installing expansive, new patient information systems which likely have better safeguarding features than prior technology.”

Indiana hospital leaders say cyber security has become a huge dot on the radar screens of health care executives

“They’re all seeing other people get beat up,” said Ed Abel, a hospital accountant at Indianapolis-based Blue & Co. “There is a significant heightened awareness and they are proactively culling their vendors.”

Abel said his firm has received two questionnaires from its health care clients this year that were far more probing about how it handles sensitive health information than anything the firm had seen before.

Leonard, the president of the hospital association, said his organization purchased cyber security insurance for the first time this year. It also organized some teleconferences on cyber security for hospitals around the state.

Still, he said, no one really feels adequately protected from hackers, who even breached the federal Office of Personnel Management this year and stole employment records of millions of federal employees, including CIA spies.

“They are probably all suitably worried that they are taking all the precautions they know how to take,” Leonard said, “but with the sophisticated attacks going on, I don’t think anybody feels adequately protected.”