John Riggi, AHA senior advisor for cybersecurity and risk (pictured above), sat down with AHA Today to share takeaways from a recent Senate Cybersecurity Caucus briefing on cybersecurity and health care. Criminal and nation state cyber adversaries are adopting more sophisticated tactics, such as targeted ransomwareattacks, which can shut down and encrypt both a hospital’s main information networks and its backup data, Riggi notes. This can directly impact public health and safety by forcing hospitals to cancel medical procedures and divert ambulances, while making it harder to restore care delivery operations without paying hackers to release the data. 

Q: Why are data breaches a growing threat?  
A: We know criminal hackers target data-rich health records to engage in lucrative fraud schemes. We also know that adversarial nation states such as China, Russia, Iran and North Korea target medical records to identify and target individuals with access to sensitive data, such as classified information or intellectual property.  

Q: Why do cyber criminals target health care?
A: In comparison to other sectors, data from the health field often include a combination of data sets such as financial data and personally identifiable information, making health records more valuable to cyber thieves. Simply put, hackers target health care because these combined data sets make it is easier for bad actors to monetize medical records – either through sale on the dark web or through lucrative fraud schemes such as false medical billing and identity theft.  

Q: Are all health care data breaches attributable to hackers?
A:  Not all breaches are attributable to hackers. Some breaches, such as those reported to the Health and Human Services Office of Civil Rights, are due to insider threats and accidental exposure of health records; for instance, if staff look at records they shouldn't or email [accidentally] unencrypted health records. 

Q: What can hospitals and health systems do to protect patient records?
A: It is essential for hospitals and health systems to create a top-down culture where every member of the staff feels empowered and obliged to protect patients and data from cyber threats. The AHA encourages hospitals and health systems to prioritize cyber risks based on their potential to impact: 1) care delivery and patient safety; 2) security and privacy of patient and other sensitive data; and 3) business functions. It also is important to map and classify all data, systems, devices, endpoints and vendors, and implement tight controls around data storage and access, especially backup systems, to reduce the risk of compromised protected health information and the threat of ransomware.

Q: How can patients be more proactive and knowledgeable to protect their own health records?

A: Patients can do a few things to protect their health data. They should understand how and to whom they grant access to their medical records; read consent agreements carefully; and store their medical records in secure physical or electronic environments.

Related News Articles

The AHA is proud to be your partner in keeping your data — and your patients — safe.
As long advocated by the AHA, the Department of Health and Human Services today proposed modernizing the Stark Law on physician self-referral and the Anti-…
The AHA yesterday co-hosted a first-of-its-kind regional cybersecurity workshop with the North Carolina Healthcare Association and South Carolina Hospital…
The Food and Drug Administration today recommended medical device manufacturers, health care providers and patients take certain actions to reduce the risk…
Among other benefits to the community, mergers can help hospitals deploy more effective safeguards against hackers, writes AHA General Counsel Melinda Hatton.
There are numerous benefits to the community that derive from hospital and health system mergers, starting with quality improvements and expanding services.