SoCal hospitals in an 'arms race' against hackers

Almost all of the nation's hospital IT executives are concerned about the security of their patients’ data, according to a recent survey.  When it comes to the security of health care data, Southern California’s in the same boat as the rest of the country.

The health care communications company Spok published the results of a survey of more than a hundred members of College of Healthcare Information Management Executives (CHIME) earlier this year.

Cristin O’Brien, senior marketing manager at Spok, says she’s not surprised by that 95 percent of hospital Chief Information Officers report being concerned about data being compromised.

"In fact, I’m surprised it wasn’t 100 percent," she says, in light of headlines of numerous attacks against health systems nationally and internationally.

At least four Southern California hospitals have been the targets of ransomware attacks in the past year-and-a-half.

Hospitals administrators are more aware than ever of the risks, although each facility takes a different approach to prevention.

At L.A. County-USC Medical Center, Chief Information Officer Oscar Autelli says his team has improved the hospital's security systems in recent years.

"We are trying to do our best to stay current on a daily basis, as opposed to what used to be a past history of, 'we’ll do updates when we get to them,'" says Autelli. "At this point we are as current as is possible with every vendor we have and we take great efforts to stay current on a very daily basis."

Clifford Neuman, director of the USC Center for Computer Systems Security, says given hackers' ever-growing sophistication, hospitals are in "an arms race" against the bad guys.

"I think that we are probably more vulnerable today, even though the technology that are deployed are better," he says.

Vulnerabilities for patient data don’t just come in the form of hacks to software, but in the ways hospital staffers interact with digital charts.

The survey found 26 percent of CIOs aren’t sure how much patient information is shared over email, text or other systems that don’t have the levels of security hospitals require. Another 30 percent estimate more than 20 percent of hospital data is shared via unsecure methods.

Hospitals sometimes struggle to have rules that keep up with common practice, says O'Brien. She uses the example of two physicians who know each other personally coordinating care for a patient.

"You may have them in your personal contacts and so you can text them back and forth," she says. "It’s a very convenient way of communicating."

But regular text messaging doesn’t have the encryption hospitals use to protect patients' personal information. Doctors may not even realize they’re doing anything wrong, adds O'Brien.

Autelli says that’s why his hospital provides staff with encrypted software and he prioritizes education as part of security.

"At every turn we have, we try to make sure that our staff is aware of what it means when we talk about ransomware or spyware and to have a better understanding of what that might look like," he says.

Autelli won’t go into specifics, but he says the hospital has an emergency plan for hacking, just as it would for an earthquake.

"It’s going to happen. We just want to make sure that we minimize the extent of the damage as quickly as possible," he says.

This story has been updated.

Clarification: KPCC has updated the story to more precisely state the source of the data.