Today’s reporting (and here, here, and many other places) that Community Health Systems hospital network was hacked for personal information is alarming. Although no credit card–and NO CARE INFORMATION–was taken, social security, birthdays, and addresses all were. That is, everything necessary to open bank accounts, sign up for credit cards, and nearly anything else that counts as identity theft.
As potentially bad for the patients as this is, it’s equally bad for Community Health Systems. Apparently their stock took only a brief hit (CYH), although it wouldn’t be shocking if it moves lower again assuming the news becomes more widespread and if they are sued. This scenario is possible because although–and I would like to emphasize this yet again–NO CARE INFORMATION WAS TAKEN (medical histories, treatments, etc.) the information was still covered under HIPAA. (They do have insurance to cover cyber liability, but even so…)
I do not know how the data was kept or encrypted. It’s interesting…and somewhat heartening…to know that the care information was not accessed by the hackers. However, I believe it helps us remember that no system is completely safe, and that the highest available level of security should always be used. Currently, regarding encryption, that would be AES 256-bit encryption. It also means use of secure one-time-use keys for communication software endpoints and conscientious use of regularly changed passwords by users. It means keeping devices used within networks either on VPNs (vitual private networks) or, again, using 256-bit encrypted, password-secured communication over non-VPN networks (and why not do it on the VPNs anyway?).
So, now the question is: Does this security breach have any implications for telemedicine and mHealth? My guess is that mHealth is probably at the greater risk. I think there’s less of a general use for cybercriminals for care data than simply personal data, and that certain types of personal data, such as location data combined with the pedometer on (could indicate you’re out jogging 10 miles from your house…might be a good time to break in), make mHealth a little more nerve-wracking. Just a guess. There may be very creative ways to make use of mass medical histories and treatment information that just hasn’t been discovered yet. Thoughts?