Scripps Health Says Some Patient Info Acquired During Ransomware Attack

Speaker 1: 00:00 Script's health confirmed in an email nearly 150,000 patients, staff and physicians had their personal information compromised during their ongoing ransomware attack. And of those grips says a small number, including social security and driver's license numbers, the sheer scale of the incident and the number of those potentially affected by it are raising questions of how best to safeguard against similar attacks in the future. Joining me is mark Heckman, a computer science professor and cyber security expert at the university of San Diego. Mark. Welcome. Thank you. Happy to be here. So what are the immediate concerns about how hackers can exploit this information? Blackmail Speaker 2: 00:41 Is a possibility if people have had, uh, uh, some medical treatment that is sensitive, that they don't want the world generally to know they could be potentially a blackmailed, also identity theft. The amount of personally identifiable information in a health record is considerable. And we have lots of examples of people whose health records were stolen, who, whose identity was then stolen. Then the, uh, the, the thieves were able to open up accounts or get medical care in the name of another person run up quite large medical bills that were then presented to the real person who said, I don't know anything about these bills. It can take years to try to remove these debts from your, uh, credit history. Are those Speaker 1: 01:26 Affected? What are some of the best steps to take to ensure the safety of their personal information? Speaker 2: 01:31 Well, there's, there's two problems here. One is trying to protect your personal information and the other is to try to mitigate the problems after the information has already been stolen. And for many of us, our information has already been stolen. We've had so many examples in past years, not just health records, but financial information, the Experian hack of a few years ago. So to protect our information, it's, it's, it's kind of late in the day to do that. What we have to do now is try to pick up the pieces and try to prevent the damage from getting worse. For example, doing a credit freeze, or at least requesting a copy of your credit history periodically to check if people are using your credit history or using your information to open up accounts or to obtain services in your name that you could potentially be held liable for the debts best Speaker 1: 02:16 Practices for organizations that could be targeted by hackers. Speaker 2: 02:20 There's a large body of security, best practices or cyber hygiene, and, uh, organizations like scripts that are, uh, medical providers are subject to regulations under the HIPAA act. So there was a set of rules, security, and privacy rules that they're supposed to follow, and they could be subject to large fines if it's found that they failed to follow those best practices. Uh, but what we're finding in a lot of the most recent ransomware attacks, for example, the one on colonial pipeline is that many companies are not following these best practices are not following the basics of cyber hygiene. And these are companies that have very valuable information that the value of, uh, of a health record is probably a thousand dollars each on the, on the market, on the black market. So there's a lot of value and stealing health records. And, uh, I don't know that all of these organizations have properly accounted for the risks that they're facing. We've Speaker 1: 03:13 Seen a number of attacks in the week since the script's hack happened. What are the lessons for individuals for sharing personal information with these large institutions that may be vulnerable to that ex Speaker 2: 03:25 There's not a lot we can do. If you're dealing with a large organization that requires your personal information, like your social security number, you really have very little recourse in terms of, uh, providing it now. I mean, there may be alternatives. You may be able to provide an alternative number. It creates problems though, because most of these processes are not set up to account for alternate numbers. They're just, the assumption is made. It's built into the process that it's going to be your driver's license number or your social security number. And if you don't do that, if you've diverged from the standard practice, even if it's allowed, it may come up the works. And so you may be making your life more difficult in some way, for places where it's optional to provide information. For example, you don't have to tell Facebook your actual birthday. So whenever possible, whenever it's not required, don't give up this personal information and then you reduce the possibility of it being stolen from yet one more database scale Speaker 1: 04:19 Of this particular hack, typical of these kinds of attacks. Oh, absolutely. Speaker 2: 04:24 Uh, large organization, nice grips handles the records for what hundreds of thousands of patients. If it's, if it's found in one place, you found it for just about everybody in that place. And then the attackers can exfiltrate that data. They can steal that data, make a copy of it. And then once it's in their hands, it's, it's too late to get it back. You Speaker 1: 04:41 Mentioned earlier that having these records stolen and not having enough resources allocated to safeguard them could be a HIPAA violation. Do you have any sense of how much these organizations like scripts, for example, get fined for these incidents? Remember Speaker 2: 04:58 What the current level of fine is? It's somewhere between 500 and a thousand dollars per record. So potentially organizations have faced fines in the millions of dollars for losing patient records. I don't know exactly the nature of all of the information that was stolen from scripts, but scripts could be facing a serious fine for failure to adequately protect their patient information. Lessons Speaker 1: 05:22 Can be learned by other large institutions about cybersecurity from this hack, Speaker 2: 05:26 Other organizations that haven't been hacked by ransomware. For example, they shouldn't relax because they are targets. The bad guys are out there looking for targets like scripts. So the lesson is you can't relax, but we know from experience, we've seen it over and over again. The risk is higher than you think, and you need to devote more resources and more thought to protecting the sensitive information because it's all valuable. And you're targeted. Speaker 1: 05:50 I have been speaking with mark Heckman, a computer science professor and cyber security expert at the university of San Diego. Mark. Thank you so much for joining us. Speaker 2: 05:59 It was my pleasure. Thank you for having me.