Cyber-security in Florida
Two cyber-laws businesses need to know about
Insiders — whether maliciously or unknowingly — are responsible for about a quarter of all data breaches at companies. Medical data is particularly attractive to cyber-criminals.
From 2009 to 2011, an emergency- room employee at Florida Hospital used his computer access to collect information on people injured in car accidents. He sold the data to a Polk County man who, in turn, used it as part of a solicitation scheme for chiropractors and lawyers. After the ER employee was fired, his wife, also a hospital worker, continued the scheme.
All three eventually pleaded guilty in federal court to stealing patient information.
In January 2012, the hospital suffered another data theft when two employees began methodically combing through droves of patient files. Each record contained a “facesheet” — a summary that included the patient’s name, birth date, Social Security number, billing details and medical diagnoses. Over the next two years, the employees reportedly printed out thousands of facesheets.
In May 2014, law enforcement officials investigating an unrelated case discovered the data breach and alerted Florida Hospital. The hospital disclosed the breach 10 months later, saying it had been under a “law enforcement hold” and had stayed quiet to avoid interfering with the police investigation It fired both of the employees, apologized to affected patients and said the incident was an aberration and did not reflect hospital staff.
“Rest assured, we investigated the matter internally and have taken measures to ensure this type of incident does not occur again,” including security upgrades and staff education, the hospital said in a statement. So far, there’s no evidence that the information has been used in any identity theft.
The incident at the hospital was just one of 780 large data breaches reported in the U.S. in 2015. In and from Florida alone in recent years: Hackers cracked an IRS database; insiders stole customer identities at Wells Fargo and AT&T; hackers broke into Starwood’s St. Regis in Bal Harbour and the Trump National Doral Miami; wayward students at Florida A&M University and Miami Dade College compromised personal information for financial gain.
While intrusions by hackers make headlines, the attacks on Florida Hospital better embody the challenges faced by large organizations in safeguarding their clients’ personal information.
For one, experts say, a significant portion of cyber-attack damage is done from the inside rather than the outside. Some 11% of large data breaches reported last year came at the hands of malicious insiders, according to the Identity Theft Resource Center, a San Diego, Calif.- based non-profit that works to prevent identity fraud. Another 15% resulted from insider negligence — employees or vendors who unwittingly exposed a company’s information to hackers by, for example, clicking on a link in a phishing email or losing a company laptop.
In addition, while hacks of big retailers may net cyber-crooks a haul of credit-card numbers, medical data is known to fetch up to 20 times more money on the black market.
Medical data — made more readily available these days by the switch to electronic health records — commands such a premium because it can be used to commit multiple types of financial crime, says Kurt Long, founder and CEO of FairWarning, a cyber-security company primarily focused on the health care sector. A medical record typically contains enough detail to false-bill insurers, collect bogus tax refunds or rack up fraudulent credit-card charges in another person’s name.
The size of hospitals also means that sensitive patient information flows through many hands, making it vulnerable to insider theft and negligence.
“Somewhere around 200 people have access to a patient’s medical record during a three-day hospital stay,” Long says. “With all those eyes — some of them prying — there’s a lot of risk that the record will be compromised.”
Long’s company, based in Clearwater markets software designed to detect possible security breaches by hospital staff.
Eva Velasquez, CEO of the Identity Theft Resource Center, says two of the best things that companies can do to prevent data breaches are to boost staff training and restrict access to sensitive information, she says. “Don’t just give everybody everything.”
Another thing they can do is invest in software to monitor computer use by employees, Long says. FairWarning tracks online access to patient records and alerts health-care facilities to unusual activity.
“We watch for statistical variations on behavior” — for example, if an employee opens up more files than usual or searches alphabetically through a patient database for no apparent reason, Long says. “It turns out those are very revealing things.”
While internet monitoring may seem Big Brother-ish to employees, it’s as old as the internet, says cybersecurity expert Keenan Yoho, a professor at the Rollins College Crummer Graduate School of Business.
“Companies have always been able to see the traffic that goes into and out of their networks,” he says. And reducing the potential for data breaches isn’t the only reason they do it — web monitoring also is a way for employers to measure worker productivity.
At least with cyber-security, he says, workers can “be comforted” by the fact that companies are trying to safeguard information, including the employees’ own personnel files.
Long says data breaches can literally be a life-or-death matter. Thieves who use another person’s name to false-bill insurers can alter the medical record and add erroneous details about blood type or drug allergies — a health threat during a trip to the ER, Long says. What’s more, patient privacy laws make it difficult for victims to correct wrong information in their medical histories.
The impact of the 2014 data breach is still playing out for Florida Hospital. John Yanchunis, an attorney with the Orlando-based law firm Morgan & Morgan, has sued the hospital in state court on behalf of a family whose young daughter received treatment at two facilities during the period in which the breach occurred.
Yanchunis says the case remains un-der criminal investigation, and he does not yet know what the ex-employees did or planned to do with the patient information. He’s seeking class-action status for the lawsuit.
“The wreckage from identity theft is catastrophic and lasts forever,” he says, noting that information from a stolen medical record can be misused for many years. “Your name, address and Social Security number do not go stale.”
The U.S. health care sector accounted for 35% of publicly disclosed large data breaches last year, with more than 120 million records compromised.
Cyber-security companies have sprung up around Florida to meet growing demand from banks, hospitals and other businesses. Health care organizations in particular face an increasing threat from hackers. The global health care cyber-security market is expected to nearly double from $5.5 billion in 2014 to $10 billion by 2020. Meanwhile, Florida’s colleges and universities are turning out graduates to fill cyber-security jobs. Even the state’s dubious ranking as a top spot for identity thieves makes it a logical place for cyber-security companies, says Sri Sridharan, managing director of the Florida Center for Cybersecurity at the University of South Florida. With “a lot of crooks” here, he says, “this is close to where the business is.”