Whether it’s an Internet hacker stealing Social Security numbers from hospital records, a doctor’s office employee using patient data to set up phony store accounts, or an organized criminal group seeking to ransom patient information, medical identity theft is a growing crime.

Hospitals, major insurance companies and even the Veterans Administration have been targets.

That’s because medical records contain a wealth of personal and financial information, from Social Security numbers and birth dates to credit card and bank account numbers, making them invaluable to thieves looking to commit fraud, experts say.

There were more data breaches in the health care sector in 2015 than in any other critical infrastructure sector, according to a new report from the Health Care Industry Cybersecurity Task Force.

“Health care cybersecurity is a key public health concern that needs immediate and aggressive attention,” the group wrote.

“If the health care system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs,” they continued. “Our nation must find a way to prevent our patients from being forced to choose between connectivity and security.”

The task force — made up of government and private sector experts in the field — was established by Congress to identify health care cybersecurity risks and develop recommendations for dealing with them.

The members concluded that real cases of identity theft, ransomware and other hacking incidents prove that health care data can be used for nefarious purposes.

And more and more hackers are trying, said Rich Rogers, chief information officer for Greenville Health System.

“We have seen the volume and sophistication of attacks ... growing in the last five years,” he said. “The value of medical records on the dark net and the black market has increased.”

Security concerns

Nearly half (47 percent) of all people in the U.S. had their personal health care data compromised in 2015, according to the Institute for Critical Infrastructure Technology.

Information security is a huge concern, especially in health care, said Harold Moore, chief information officer for Spartanburg Regional Healthcare System.

And the industry faces additional challenges because health records are worth a lot more on the black market — an estimated $50 vs $2 for a hacked credit card, he said.

“If a credit card gets stolen or hacked, someone realizes it and shuts it down and reissues a new card,” he said. “When a health care record is stolen, it has information like a Social Security number ... and they can take that identity and open up other credit cards or take out loans and other kinds of things."

Until recently, patient data was protected by a paper system, the task force said. Switching to digital increased connectivity between providers and other parts of the health care system, from blood banks and laboratories to insurers and researchers.

But it also gave rise to cybersecurity threats. And the risk increases as more medical devices use software and are connected to the Internet, hospital networks and other medical devices, the task force said.

“We see attempts almost daily,” said Christopher Schmidt, manager of information security for GHS.

“There are people seeing if they can exploit the system. And we have a team of people going through this and we’ve implemented a lot more technology,” he added. “We’re a lot more aggressive.”

The task force identified six areas that the industry needs to tackle. These include increasing the security of health IT and medical devices, improving cybersecurity readiness and education, and developing the workforce needed to ensure cybersecurity awareness and technical capabilities.

The task force also made dozens of recommendations to improve health care cybersecurity. Among them is a call for the U.S. Department of Health and Human Services to establish goals and priorities for health care cybersecurity, the development of a system of best practices for cybersecurity, the upgrading of IT systems at provider organizations to include real-time patches from software vendors, and the use of two-factor authentication to ensure that passwords alone can’t access sites.

Tackling the threat

But while health care organizations large and small have an increasing responsibility to secure their systems, most are limited by the cost and many can’t afford in-house information security personnel, the tax force said. They also often lack the infrastructure to identify and track threats and take action until long after it has occurred.

About half of hospitals have not optimized their security infrastructure, said Idan Udi Edry, CEO of Trustifi, a cybersecurity company specializing in email security. But upgrading is something that must be done because a data breach lawsuit will cost a lot more, he said.

“The more you wait, the more it costs,” he said. “There is no other choice.”

And while there is no such thing as 100 percent protection, industry needs to respond to minimize risk, Edry said.

“In today’s world, everything is vulnerable,” he said. “We must take all necessary precautions to protect clients.”

Spartanburg Regional, which has a dedicated team of seven security specialists and a third-party firm that conduct audits every year to identify vulnerabilities, spends more than $1 million a year to keep records secure, Moore said. Its efforts include layers of security he compares to a home.

The first line of defense is the fence, which is the firewall, he said. If they get through that, they find the front door or windows, which are locked. Passwords act as the lock and software helps with viruses, he said.

And if somebody gets through the door, the next layer is a home security system. Monitoring systems play that role, he said. And once inside, the thief looks for valuables, which are stored in a safe or vault. Various encryptions serve as the vault. And the staff doubles as a neighborhood watch program to keep an eye on things, he said.

Moore said Spartanburg Regional’s last data breach occurred about six years ago prior to his arrival when a laptop was stolen. After that, he said, all mobile devices were encrypted so that they can’t be decoded without the encryption key.

The hospital also identifies patients with palm vein scanning to prevent insurance fraud, he said.

“Nothing’s perfect,” he said. “Even with layers, there are sophisticated folks out there. The bad guys are getting smarter by the minute. We constantly have to reevaluate and readjust to keep them from getting in. We take it really seriously.”

Data integrity

The hospital also has software that monitors for suspicious patterns and activity, including for third-party companies, he said.

In the event of a ransomware attack, it would institute a lock-down, he said. The data is replicated in a secondary system allowing the hospital to continue operating. The data would be useless to attackers because they couldn’t decrypt it, he said. So no ransom would be paid.

And medical equipment is also secure to prevent disruption of services to patients, he said. Mobile workstations automatically time out to prevent access and clinicians use biometric fingerprints to access them, he said.

Along with patches to keep security current, Spartanburg Regional monitors Internet traffic as well as email to home accounts containing patient data, which is flagged and stopped, he said. And accessing data with a thumb drive isn’t possible because foreign devices don’t work across the organization, he said.

“We never let our guard down. We never underestimate the enemy. It is like warfare,” Moore said. “The integrity of the data is so important to maintain confidence with patients.”

Phishing attacks in which employees think they’re resetting their passwords, but are actually giving them to someone else is another focus, he said.

Edry said that’s important because hackers can obtain a host of information via email, including password, birth date and three most common security question answers. And test results sent through email can also include name, address, the last four digits of the Social Security number and credit card information, all of which can be used to hack a bank account.

“I can collate several pieces of information that can help me achieve your bank account, all from attachments from a blood test result,” he said. “When we’re putting in infrastructure to protect our data, we have to make sure email is fully secure, protected and encrypted, the same way we do with a credit card and chip.”

The task force said that because of the level of interconnectivity and diversity, and the disparity between organizations’ ability to address cybersecurity issues, health care “will only be as secure as the weakest link.” It also said that product and technology innovations outpace the development and creation of regulations.

Constant vigilance

GHS, which has a separate information security department staffed with security engineers, also has a comprehensive cybersecurity plan equipped with a variety of tools to provide sophisticated layers of security, far beyond firewalls and passwords, including on mobile devices and medical equipment, said Rogers.

“Anything that is attached to your network needs to have a security plan associated with it,” he said. “It requires constant vigilance.”

The system, which is monitored daily for potential hacks, has infrastructure to identify, track and act on threats, he said. And staff are regularly trained on new developments.

Though GHS’s IT system is about two years old, security tools are updated in real time and staff proactively look for vulnerabilities and devise plans to address them, he said.

For example, GHS has all its data backed up. So in the event of a ransomware attack, the hospital would update its security, but would not pay a ransom because that would just embolden hackers to do it again, he said.

GHS’s IT system is rated by a cybersecurity expert on a regular basis, Rogers said. And while data can never be totally secure, the IT staff is on top of it, he said.

“They’re always looking for new ways of penetrating your network," he said. '"You can never relax.”

After the personal information of about 2,500 GHS cardiology patients was breached through a third-party vendor last year, GHS developed a technical tool that does external security assessments of the those companies, Schmidt said.

Mobile equipment has a default timer to prevent unauthorized people from accessing information as well.

Reducing risk

Bon Secours St. Francis Health System, which terminated an employee in 2015 after she stole the personal information of about 2,000 patients and staff, declined comment.

But AnMed Health in Anderson also has a detailed cybersecurity plan based on industry and government standards and regulations such as the Health Insurance Portability and Accountability Act, said Cherry Kent, information services security officer for the hospital, which also has a security management team in place.

“HIPAA requires that administrative, technological and physical safeguards be in place to protect patient data,” she said. “The plan constantly evolves.”

To deal with evolving threats, AnMed performs an annual risk analysis and budgets for new tools or updates based on the results, Kent said. It also has at least one external audit.

Other steps also are taken to reduce risks, such as changing processes or tightening an existing control, she said. And there is infrastructure to identify threats and act on them.

The security staff attends yearly training, gets information from vendors and other sources, and must get industry certifications, Kent said. And all staff must complete yearly cybersecurity computer-based training, she said. New employees attend cybersecurity training as well.

Also, each department has a plan to continue serving patients in the event of a cyber attack or any other emergency, she said.

“Some tools are automatically updated with the latest threat intelligence,” she said, “while others use computer algorithms to prevent unknown programs from loading on computers.”

IT requires constant updating, Kent said, and security tools are no different.

“We plan for updates and new acquisitions each year during the budgeting process,” she said.

Adapt and improve

The general standard for industry is to provide one year of identity theft protection after a breach, the task force said.

But the task force said that only helps for credit-based identity theft and doesn’t provide adequate protection based on the sensitivity, value and permanence of priceless health care data, they said.

Edry agrees that one year of credit monitoring isn’t sufficient.

“If they’ve got your information, they’ve got it for life,” he said. “You’re the same person. Even if you change the information on your credit card, you will probably live in the same place next year, still be female, still be the same height and be blond and blue eyed.”

Edry also said hospitals should avoid using Social Security numbers because they make it easier for hackers to steal your identity, providing them maximum results with minimum effort.

The task force said that although the number of providers, public and private payers and others involved in the health care industry is huge — representing almost one of every 10 jobs — there has been little focus on cybersecurity in many quarters just as cyber-criminals grow increasingly sophisticated.

So the industry must adapt and improve, they said.

“Within the health care industry, cybersecurity has historically been viewed as an IT challenge, is approached reactively, and is often not seen as a solution that can help protect the patient,” the task force wrote. “Now, more than ever, all health care delivery organizations have a greater responsibility to secure their systems, medical devices and patient data.”