Gormley’s Take: Cybersecurity Focus Turns to Health Care

Originally published October 25, 2018 by Brian Gormley at WSJ Pro

Startups seek to help health organizations prevent medical identity theft.

October 25, 2018 – A recent HealthCare.gov data breach highlights the value that hackers place on medical information—and the opportunity for companies with technology to thwart these attacks.

The Centers for Medicare and Medicaid Services last week said hackers breached a HealthCare.gov portal that agents and brokers use to assist consumers seeking health insurance. They gained access to the files of 75,000 people, CMS said.

Medical-identity thieves use other peoples’ names, social security numbers and other health-record data to create new identities. Then they can secure prescription drugs and other health products or services. Health-care data hacks are growing more common and costly and continue to put patient data at risk, according to a 2016 study by the Ponemon Institute, which studies privacy, data protection and information-security policy.

Austin, Texas-based startup ClearDATA Networks Inc., whose software helps medical clients safeguard data, spotted medical identity theft as an emerging threat late last decade as health records moved to electronic formats, founder Chris Bowen said.

Digitally connected medical devices can also be hacked. The Food and Drug Administration has said device makers are responsible for testing products for cybersecurity. Last week the FDA noted cases where cyberattacks have rendered medical devices and hospital networks inoperable, and the agency issued guidance to help medtech companies tackle the problem.

The FDA’s focus on cybersecurity helps companies like MedCrypt Inc., a medical-device cybersecurity startup. Two years ago, venture capitalists would ask why anyone would hack a medical device, Chief Executive Mike Kijewski said. But awareness has come a long way, he said, and the company raised a $1.9 million seed financing in June led by Eniac Ventures.

Startups still have to spell out their value proposition to medical organizations, which have many legacy IT tools and must be convinced of the business case for buying the latest technology, said Sean Cunningham, a managing director at cybersecurity investor ForgePoint Capital.

But because of data breaches, health-care groups are inquiring about how best to protect patients from medical identity theft, ClearDATA’s Mr. Bowen said.

“We’ve seen a wake-up call happen in health care,” he said. “It’s now front-of-mind in nearly every single conversation.”

Write to Brian Gormley at brian.gormley@wsj.co