Kevin Johnson is a professional hacker – albeit a self-described ethical one. As head of the security consulting firm Secure Ideas, his job involves hacking into organizations' networks and applications to identify vulnerabilities. And what he sees in healthcare terrifies him. 

Johnson, who moderated a panel at the HIMSS/Healthcare IT News Privacy and Security Forum June 16 in San Diego, has conducted tests for health insurance companies, hospitals and medical app companies, and for the overwhelming majority of them, "security sucks," he said. 

In an alarming number of cyberattacks, for instance, organizations were completely unaware they had been hacked, according to a March Federal Bureau of Investigation report. Some "3,000 organizations of all types, but very many of them medical related, the way they found out there was a problem with their network is they got a phone call from the FBI," said Johnson. "If the FBI is initiating your incidence response, you have a problem."

Part of the security problem pertains to perceptions of these healthcare organizations – in particular many smaller hospitals. "They'll say to you, 'who's going to attack me? I'm some small hospital…we don't have anything people care about; we don't have credit card numbers,'" he said. 

These perceptions can get organizations and, more importantly, consumers into a whole lot of trouble. Medical records for identity theft actually profits the bad guys more, he pointed out. "Here is a massive piece of data that as a bad guy, I would want to have access to."

Hospitals are far from the only offenders, Johnson added. Vendors are equally to blame for shoddy security. 

Johnson recalled conversations with medical app developers, one app in particular used by major medical hospitals and recommended by insurance companies. 

The developer described the security of the app as being base64 encryption, something that doesn't actually exist. "Base64 is not an encryption mechanism; it's an encoding mechanism," said Johnson. "That's like saying because I spoke in French and you don't understand French, it's secure." 

Due to non-disclosure agreements, he can't name the app, but because of the deficiencies of apps and third-party vendors out there, Johnson recommends healthcare organizations verify vendors' security and make it part of their contract.

Security deficiencies and subsequent data breaches can also be partially attributed to IT folks failing to do their job, he added, and neglecting to detect in a timely manner when something on the network looks wrong. He's aware he comes off harsh, but there's good reason for it.

Just like an individual who drives their car to work every day would notice a problem if the car makes a particular noise that it never makes, IT folks should know what's right on their networks, how much traffic they have, what processes are run on the machines, so say, for instance, if a keylogger were to be installed, it wouldn't take you a month to identify like what transpired at UC Irvine last month.

"This is not just a security thing; this is an everything thing. If you don't know what's normal on your network, how can you manage your network?" he said. 

In addition to the glaring security failings on the IT end, the healthcare's clinical end doesn't exactly breed a culture of security, noted Johnson.  

He recounted one of his recent visits to the doctor where, upon arrival, he was asked to sign in on a piece of paper, together with his Social Security number, date and the reason for the visit. Johnson told the staff he wouldn't be filling it out, a response met with a considerable amount of shock. 

"Well, Kevin, I think you're making a bigger deal of this than it is," said one staff member.

But he works on the incident response end. He sees identity theft, the hacking, the breaches and the severe network deficiencies. It is a big deal, Johnson countered. 

Healthcare security, in its current state, is "the Wild West," he added. "What's in the news is just the tip of the iceberg."