Purchase May Have Protected Hospitals [Intelligencer Journal (Lancaster, PA)]
(Intelligencer Journal (Lancaster, PA) Via Acquire Media NewsEdge) Staff Writer
The parent company of two local hospitals reiterated Wednesday that no local patient data was stolen in a cyberattack earlier this year.
"We have identified the physician practices and patients affected by the cyberattack, and the practices affiliated with Lancaster Regional (Medical Center) and Heart of Lancaster (Regional Medical Center) were not affected," Community Health Systems spokeswoman Tomi Galin said in an email.
Galin did not explain why the two hospitals and related practices were spared. However, it may be because CHS acquired them only recently.
CHS acquired Lancaster Regional, Heart of Lancaster in January from former owner Health Management Associates. Also acquired in that deal: Carlisle Regional Medical Center.
Like the Lancaster hospitals, Carlisle Regional wasn't affected by the breach, its CEO, Rich Newell, told the Carlisle Sentinel on Monday.
Carlisle Regional was still on its old electronic records system, which isn't the one used by other CHS hospitals, Newell told the paper.
Newell's explanation makes sense, said Tom Katona, a insurance IT expert and partner in Agentic Insurance, a company that provides cybersecurity insurance.
"If (the IT systems) are segregated, it's not going to be an issue," he said.
The Lancaster hospitals have not commented independently on the breach, referring all inquiries to CHS' corporate headquarters.
CHS revealed Monday that its systems had been hacked in May and June, and that information pertaining to about 4.5 million people was stolen.
The company identified the attacker as an "Advanced Persistent Threat" group based in China. The victims were patients of CMS- affiliated physician practices.
CHS said it is notifying the affected individuals and providing identity theft protection.
The stolen data included names, addresses, phone numbers and Social Security numbers but not credit card or medical data, CHS said.
The incident is "by far the largest hacking event involving protected health information" since the U.S. Department of Health and Human Services began tracking incidents in 2009, the industry publication Health Data Management said.
CHS owns more than 200 hospitals in 29 states.
Reuters reported Wednesday that the Chinese hackers breached CHS' systems by exploiting the Heartbleed bug.
Heartbleed is a security flaw in OpenSSL, open-source software used on servers to encrypt data transmissions.
Heartbleed was the subject of huge publicity after IT security firm Codenomicon reported its discovery. That was in early April, a month before CHS says the Chinese cyberattack began.
IT professionals were encouraged to assess their systems' vulnerability and download the appropriate patches, while ordinary users were advised to change their passwords and monitor their financial records.
Data security is a major issue for hospitals. According to a 2012 study by the Ponemon Institute, 94 percent of health care organizations suffered breaches, costing an estimated $7 billion a year.
"It's incredibly difficult for IT staff to keep up with this stuff," Katona said.
Lancaster General Health has "lots of firewalls in place" and even pays experts to try to hack into its systems, CEO Tom Beeman told the audience at a Rotary Club of Lancaster luncheon on Tuesday.
LG Health continually evaluates its systems and protocols and believes they are robust, he said.
Unfortunately, today's bad guys are very sophisticated.
"I'd love to guarantee that it can't happen," he said, but a categorical promise wouldn't be realistic.
(c) 2014 ProQuest Information and Learning Company; All Rights Reserved.
[ Back To TMCnet.com's Homepage ]