Though less common than breaches from lost laptops or other devices, hacking is on the rise in healthcare, experts say. Fending off cybercriminals, however, should go beyond treating security as a routine matter of protecting patient privacy.
"It needs to be more of an ongoing, constant, holistic type of approach where you're looking at your systems from the perspective of someone on the outside," lead author and senior research specialist Jared Rhoads said speaking about the risk assessments the report recommends.
Rhoads described hacking as "still the kind of thing that statistically won't happen to you yet," but that "it is happening often enough that we're taking notice of it." As health data increasingly is pushed online, hacking becomes less a question of "if" and more a question of "when."
Examples from the past year show hackers can wreak havoc. Among them:
- The Utah Department of Health announced last spring that hackers based in Eastern Europe had broken into one of its servers and stolen personal medical information for almost 800,000 people.
- Indiana University Health Goshen Hospital last winter, a virus was discovered on a server, potentially exposing information on 12,374 job applicants and fewer than 500 patients.
- Froedtert Health in Milwaukee in Februarynotifiedroughly 43,000 patients that protected health information may have been compromised from systems also infiltrated by a computer virus.
Healthcare data breaches, in the end, are similar to other cybercrimes perpetrated by hackers searching for financial information from which they can make a profit, according to a Verizon report published last fall.
Hackers generally crack into hospital systems through poorly configured tools and software. Indeed, Utah officials involved in the above-mentioned situation admitted their system still had the factory password.
What's more, in a hypothetical scenario, researchers wrote that hackers could use phishing emails to introduce malware into hospital networks. Over a series of weeks, the authors wrote, the hackers could use a series of small, hard-to-detect incursions that could infect patient record databases, mobile devices, and, eventually, medical monitors and drug infusion pumps.
The risks cannot be ignored. ThePonemon Institute put the average cost of identifying and notifying affected individuals now mandatory under the law at $214 per record, and the average settlement cost of a medical identity case at more than $250,000.
Security compliance regulations should be the minimum
Hospitals and healthcare organizations traditionally choose to base their security efforts on complying with state and federal regulations. Instead, such laws should be considered the "floor" for such efforts, rather than the "ceiling."
Hiring so-called "ethical hackers" is one way to put fresh eyes on your system's security, and to go above and beyond what the law requires, according to Rhoads.
"Some of them used to be hackers and they know how to think like hackers they're experts at security who will say, 'How would I gain access to this organization?'" Rhoads said. "They will promise not to do anything bad, but they'll test your systems as if they were a hacker."
Managed security service providers are another option for small healthcare IT staffs with way too much on their plates to keep up with the latest threats. Indeed, most breaches go on for months before they're discovered, Rhoads said.
With regard to BYOD (bring your own device), health leaders should not try to fight the trend. Instead, sound policies should be developed and security training implemented to help workers effectively do their jobs. It advocates multi-factor authentication over systems that require passwords.