UCLA’s Big Data Breach Is No Shock

Many Providers Aren’t Proactive Until They Are Forced To
Ron Shinkman
editor@payersandproviders.com

When the UCLA Health system announced that it had been the victim of a hack and the non-encrypted personal information of some 4.5 million patients had been compromised, it made big headlines in Southern California and nationally.

  Unfortunately, I had to all but stifle a yawn. 

It was another in a series of non-shocking shocking stories about lax healthcare security.

Why is it non-shocking? Because I almost always gathered up the same quote or conclusion from experts I’ve interviewed on this topic: Hospitals and healthcare systems won’t do anything about truly securing their patient records until something bad happens to their organization.

Meanwhile, we’re so inured to daily reports of big businesses being hacked, we barely pay attention to them anymore. The UCLA hack probably affected me. So did the big Anthem hack. Ditto for the DSW Shoes hack. And the Target Stores hack. I check my credit report every few months, because in this era of corporate cyber carelessness, that’s all you can really do.

And yet encrypting patient records or the devices that hold them is easy and these days almost always free -- the result of software designers and tech manufacturers working to make encryption a nearly universal feature of their products. 

Encryption is also a HIPAA get-out-of-jail card. If a device containing patient data is encrypted and it is lost or compromised, the incident doesn’t need to be reported to federal authorities. And if you don’t have to report the incident, it won’t be published on the so-called “Wall of Shame” -- the list of breaches involving 500 or more patient records that are regularly updated and made public by the U.S. Department of Health and Human Services.

Yet I keep on encountering the same sort of incident: A doctor or hospital employee has a laptop or tablet swiped from their car or home. Or someone walks through an unsecured office and steals a bunch of desktop computers. Or a thumb drive that backs up an MRI machine or some other scanning device disappears. The devices contains hundreds, if not thousands, of patient records. And none of the purloined data has been encrypted.

Granted, the UCLA incident involved a hacker compromising an entire network, which is not quite as simple to encrypt as a single device.  And while my colleagues at the Los Angeles Times rightly pointed out that UCLA Health’s lack of encryption is a troubling fact, it didn’t really delve into how simple encryption actually is. The University of California has established an internal cybersecurity group to examine its computer networks as a whole. But it didn’t directly pledge to encrypt its network, or even the individual devices that are linked to it. The former could have been accomplished in a matter of weeks; the latter, within a single day. 

Apparently, UCLA Health’s bad news may still not be enough to push it to make a big change. 

The UCLA breach will be published to the “Wall of Shame,” but really, it’s a wall only known within the healthcare sector.

Instead of just having to disclose the incident to an obscure HHS webpage, it would be far more illuminating if UCLA Health was compelled by regulators to create a series of print and electronic public service announcements. Those announcements would have the same feeling of all those promotional ads big hospital systems run these days -- stock photos of highly attractive groups of diverse people wearing lab smocks and smiling; videos of smiling families visiting their doctors, etc.

But the tagline would be slightly different: “UCLA Health Save Lives. But Your Personal Data Can Drop Dead.”

That would likely get some attention from the public. And maybe some encryption where it’s sorely needed.

Ron Shinkman is the Publisher of Payers & Providers.