In a small room in a downtown Dallas historic building, a team of cybersecurity analysts sits facing a large digital map of the world that shows orange dots over nations including Denmark, Liberia and Russia.

Every few seconds, a line on the screen traces a long orange path between two countries. Each line represents a virtual “knock on the door” to a computer network by a hacker trying to get access to medical data.

It’s Kevin Charest’s job to make sure they don’t succeed.

Charest is the chief information security officer for the Health Care Service Corp. Operating out of a room on Munger Avenue, the high-tech hub is responsible for protecting the records of the nearly 15 million participants in Blue Cross Blue Shield plans in Texas and four other states.

“I haven’t slept since 1979,” Charest said. And he’s not entirely joking.

Cybersecurity analyst Paul Kvernes works in the Cyber Fusion Lab of the C1 Innovation Lab in downtown Dallas. (Nathan Hunsinger / Staff Photographer)

A team of 200 analysts staffs the company's regional security operation center, called the Cyber Fusion room, on the seventh floor of the newly opened C1 Innovation Lab, where Blue Cross of Texas is testing out programs to improve health care quality and lower costs.

Charest's motto — We watch everything, everywhere, all the time, forever — is written in capital letters on a dry erase board in the suite. The hub is staffed 24-7 and includes remote offices in Richardson and in Waukegan, Ill.

As Charest points to the screen full of orange dots and dashes, his brow furrows. On average, the hub tracks thousands of attempts per second made by adversaries attacking its servers.

“If you knew what I knew, you wouldn’t sleep either,” he said.

Rising Opportunity

Access to medical data has been described as a "new frontier" for hackers as the health care industry rapidly shifts from paper records to electronic ones.

“We’ve gone through this huge digitization process that has made us a target,” said Dean Sittig, a professor of biomedical informatics at the University of Texas Health Science Center in Houston. Sittig’s research focuses on how to make technology used by health care businesses more secure.

While electronic health records, clinical data-sharing tools and connected devices such as blood pressure and heart rate monitors benefit patients and make the industry more efficient, they also can leave valuable health information exposed.

Every technology that connects to the internet comes with a security risk, since it is a potential doorway into a network. The tech-heavy health care industry has multiple entryways — from electronic health records to medical devices and laptops — where patient data is stored.

Hackers can now write programs that knock on every door quickly. “And if the computer’s not configured correctly, sometimes you can get in," Sittig said. "People used to rob banks, now they rob information.” When it comes to your health data, “there’s money to be made,” he said.

So far, Charest said, Health Care Service Corp. hasn’t experienced a major disruption. But the hypervigilance is easy to understand.

Since 2009, the U.S. Department of Health and Human Services has kept a list of data breaches in which the health information of 500 or more patients was exposed.

Over 4 million Texans have been affected by more than 150 incidents, including 11 last year, the data show.

To date, there have been more than 1,700 such incidents nationally, affecting over 162 million Americans. Theft of computers and other equipment is the most commonly reported type of breach, followed by unauthorized access and hacking.

Just this month, an unauthorized attempt to access data at the North Texas Medical Center in Gainesville left 3,350 patient records exposed. The largest reported breach in the U.S. was a 2015 hacking of the health insurer Anthem Inc. that left more than 78 million patient records at risk.

The numbers may be higher. Many incidents go unreported, either because of malice or lack of knowledge about what constitutes a reportable event, said Michael Ebert, who advises health care clients about cyberthreats for the international consulting firm KPMG.

Forty seven out of 100 senior executives at health care firms that were surveyed by KPMG last year said they had experienced a patient privacy-related security violation or breach in the past two years. But nearly as many said their companies had not increased their cybersecurity budgets, as their primary focus remains patient care.

Market Forces

There are many reasons health care data can be valuable on the dark web, experts say.

For example, people in countries where communicable diseases are prevalent may be asked to provide medical documentation that proves they don’t pose a health risk when they enter the U.S.

“So they will buy an X-ray for 250 bucks,” Ebert said.

People who cannot afford health insurance may use the identity of someone who has it in order to undergo procedures or get prescription drugs.

And corporations that know your health issues could potentially use the information against you, said Sittig.

"They're not supposed to discriminate against you for your age and gender, sex, religion and all that stuff. But say you're overweight or have diabetes and are going to take a lot of time off," he explained. "No one would want to hire someone who is going to be sick all the time."

And the health care industry is behind the eight ball when it comes to keeping records safe.

“The complexity of technology in health care is three to four times magnitude harder than any other business," Ebert said. "Yet it’s the least funded business when it comes to management of technology.”

That, Charest said, is why Chicago-based Health Care Service Corp. will be making “significant investments” in what he called “internal and external identity management” over the next two years. He declined to state how much the company will invest and offered few details.

Internally, the system could change which staff members have access to confidential information and revamp how and what they are able access from outside the office.

Externally, purchasers of health insurance may see the addition of features such as face recognition, extra authentication steps and fraud alerts, like those used in the credit card industry to flag out-of-the-ordinary purchases.

Other strategies could also be tried, but Charest didn’t want to give hackers too much insight.

“It’s like a road map for somebody to come in and fight me,” he said. “We’re always in this hand-to-hand combat: They move and I move, I move and they move.”

The cybersecurity teams monitor traffic to intranet sites used by Blue Cross members in Illinois, Montana, New Mexico, Oklahoma and Texas, sometimes just to get a baseline for what’s normal.

So if a North Texas member tries to log in from Fort Worth one day and India the next, for example, that might prompt an investigation.

They keep an eye on each attempt by entities looking to find vulnerabilities in the system. And,

so unsecured doors can be found and closed before others sneak in, some staff members are paid to try to hack into the network.

“They're allowed to lie, cheat and steal to do their job,” said Charest. It’s no wonder then that Charest said he averages only four hours and 20 minutes of sleep a night.

“We build our defenses,” he said, “but we also try every single day to break them.”