Privacy & Security

Healthcare data: A hacker's jackpot

<any healthcare organizations don’t see themselves as targets for sophisticated cyberattacks.
By Ryan Witt
February 10, 2015
03:28 PM

Even in the heavily privacy-regulated healthcare industry, few people realize how vulnerable many of our systems – from EHR to connected medical devices – are to cyberattacks. With recent headlines highlighting the misfortunes of the Home Depots and Sonys of the world, many healthcare organizations don’t see themselves as targets for sophisticated cyberattacks.

Unfortunately, that couldn’t be farther from the truth. It shouldn’t be surprising that the theft of patient data is on the increase as this information is significantly more valuable than credit card data, with some reports suggesting a 20x differential. Financial services companies have become very adept at countering credit card theft, specifically by quickly discovering and cancelling compromised credit cards. Medical data, on the other hand, contains dates of birth, social security numbers, and physical descriptions – information that cannot be easily reset.

Of course, a contributing factor to the increasing frequency of healthcare breaches is the digitization of the medical record. While there are several clinical benefits of moving away from paper record systems, it has also made patient breaches, at scale, a grim reality. The race to roll out EMRs has not always been accompanied by a commensurate investment in the security infrastructure to support this environment, leaving some health systems unduly vulnerable.

For the healthcare industry, it was only a matter of time until a Target-scale breach hit a major insurer or hospital group. Last week’s attack on Anthem, best known for their Blue Cross insurance brands, appears to be particularly harmful, with the company acknowledging in a statement that:

“...hackers have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.”

With this information, the threat of identity theft is a real one for consumers whose data was compromised in the breach. 

The Anthem hack – similar to most of the high-profile breaches we’ve heard about in the last year – isn’t an indictment of any particular company or even technological solution. Hackers and their tools have become incredibly sophisticated while too many of our systems, in healthcare and elsewhere, simply aren’t keeping up.

As healthcare organizations rethink their security strategies in the face of advanced threats, they need to consider three primary inroads that hackers can use in a healthcare cyberattack.

Traditional cyberattacks

Malware, phishing schemes, trojans, ransomware – these are the types of cyberattacks that happen to all institutions, though some are more likely to make headlines than others. The healthcare industry often lacks the built-in protections and underlying security mindset of other industries and is thus particularly vulnerable to cyberattacks. Malicious software, whether deployed through targeted attacks, spam, compromised websites, infected mobile devices or otherwise, can not only expose sensitive data but also create expensive IT headaches. In fact, a 2012 Ponemon Institute study found that data breaches cost the average healthcare organization roughly $2.4 million over the previous two-year period.

Connected medical devices

In 2011, the Association for the Advancement of Medical Instrumentation (AAMI) found that the average hospital had 1.4 networked medical devices per bed. Today, everything from IV pumps to heart monitors can be networked and automatically interfaced with EHR systems, providing real-time alerts to healthcare providers. In terms of patient care and operational efficiency, this is a good thing; from a security perspective, however, it’s a potential nightmare.

Countless diagnostic machines, including CT Scanners and MRI machines, weren’t designed with security in mind and often use off-the-shelf operating systems like Microsoft Windows. Other devices typically use purpose-built software designed to collect – not protect – data. Too many of these devices are hackable and, once one of these devices is hacked and compromised, it can provide hackers with unrestricted access to additional clinical data systems. The threats don’t stop there – for instance, researchers have demonstrated how insulin pumps can be hacked to deliver a lethal dose of insulin, posing a direct threat to patient safety.

Personal and home health devices

Connected devices aren’t exclusive to hospitals. An increasing number of home health devices and apps are collecting and transmitting personal health data than ever before. These devices and apps often interface directly with EHR and clinical data systems, increasing risks should those systems become compromised. When everything from an iPhone app to a home glucose monitor can become part of the attack surface, it should become clear just how badly exposed healthcare institutions are.

The bottom line

Healthcare is a $3 trillion industry in the U.S. alone – a true jackpot for hackers. Patient data lives in countless systems in hospitals, medical practices, devices, insurance companies and even HR databases that often include legacy software, purpose-built hardware, troubled insurance exchanges and more. IT is no longer an add-on service for the healthcare industry: it is now core to successful, effective care for our citizens. Health insurers should invest in next generation and high speed firewalls, advanced threat protection, application security and wireless access to help ensure patient data is kept safe. With so much money involved, the Anthem breach may be the largest to date but, unfortunately, won’t be the last.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Two medical researchers in a lab look at information on a laptop
New NIH tool uses genAI to connect volunteers with clinical trials

Most Read

Sens. Warner & Wyden seek healthcare cybersecurity mandates in new bill
CIOs must understand change management theories, frameworks and practices
India-specific big cancer database goes live
Epic calls on Carequality to release Particle dispute resolution
VP candidates' EHRs may have been improperly accessed by VA employees
Healthcare workforces need to prep for deep fakes and AI-enabled cyberattacks

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

David Miles at Oklahoma Heart Hospital_Part 2_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
Switching from Cerner to Epic? Meet a CIO who made it out alive
Stethoscope on an iPad
HIMSSCast: Care provider or tool? When and why patients like AI
EHR tips on migrating an all-digital hospital to Epic
Patient in mask talking to receptionist in mask
Almost a quarter of Americans underinsured, survey finds
VA building signage
House passes veterans healthcare package without RESET Act
David Miles at Oklahoma Heart Hospital_Part 1_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
The CIO of an all-digital hospital walks readers through its successes
David Miles of Oklahoma Heart Hospital
Deep dive: A tour of all-digital Oklahoma Heart Hospital, where automation is the norm
Healthcare workers looking at X-ray images on monitors
Streamlining healthcare operations with multicloud-by-design