Healthcare Hacking on the Rise
Though less common than breaches fromÂ lost laptops or other devices, hacking is on the rise in healthcare, experts say. Fending off cyber criminals, however, should go beyond treating security as a routine matter of protecting patient privacy.
âIt needs to be more of an ongoing, constant, holistic type of approach where youâ™re looking at your systems from the perspective of someone on the outside,â lead author and senior research specialist Jared Rhoads said speaking about the risk assessments the report recommends.
Rhoads described hacking as âstill the kind of thing that statistically wonâ™t happen to you yet,â but that âit is happening often enough that weâ™re taking notice of it.â As health data increasingly is pushed online, hacking becomes less a question of âifâ and more a question of âwhen.â
Examples from the past year show hackers can wreak havoc. Among them:
- The Utah Department of HealthÂ announced last spring thatÂ hackers based in Eastern Europe had broken into one of its servers and stolen personal medical information for almost 800,000 people.
- AtÂ Indiana University Health Goshen Hospital last winter, a virus was discovered on a server, potentially exposing information on 12,374 job applicants and fewer than 500 patients.
- Froedtert Health in Milwaukee in FebruaryÂ notifiedÂ roughly 43,000 patients that protectedÂ health information may have been compromised from systems also infiltrated by a computer virus.
Healthcare data breaches, in the end, areÂ similar to other cyber crimes perpetuated by hackers searching for financial information from which they can make a profit, according to a Verizon report published last fall.
Hackers generally crack into hospital systems through poorly configured tools and software. Indeed, Utah officials involved in the above-mentioned situation admitted their system still had the factory password.
Whatâ™s more, in a hypothetical scenario, researchers wrote that hackers could useÂ phishing emails to introduce malwareÂ into hospital networks. Over a series of weeks, the authors wrote, the hackers could use a series of small, hard-to-detect incursions that could infect patient record databases, mobile devices and, eventually,Â medical monitors and drug infusion pumps.
The risks cannot be ignored. TheÂ Ponemon Institute put the average cost of identifying and notifying affected individuals â" now mandatory under the law â" at $214 per record, and the average settlement cost of a medical identity case at more than $250,000.
Security compliance regulations should be the minimum
Hospitals and healthcare organizations traditionally choose to base their security efforts on complying with state and federal regulations. Instead, such laws should be considered the âfloorâ for such efforts, rather than the âceiling.â
Hiring so-called âethical hackersâ is one way to put fresh eyes on your systemâ™s security, and to go above and beyond what the law requires, according to Rhoads.
âSome of them used to be hackers and they know how to think like hackers â" theyâ™re experts at security who will say, âHow would I gain access to this organization?'â Rhoads said. âThey will promise not to do anything bad, but theyâ™ll test your systems as if they were a hacker.â
Managed security service providers are another option for small healthcare IT staffs with way too much on their plates to keep up with the latest threats. Indeed, most breaches go on for months before theyâ™re discovered, Rhoads said.
With regard to BYOD (bring your own device), health leaders should not try to fight the trend. Instead, sound policies should be developed and security training implemented to help workers effectively do their jobs. It advocates multi-factor authentication over systems that require passwords.