Even in the heavily privacy-regulated healthcare industry, few people realize how vulnerable many of our systems – from EHR to connected medical devices – are to cyberattacks. With recent headlines highlighting the misfortunes of the Home Depots and Sonys of the world, many healthcare organizations don’t see themselves as targets for sophisticated cyberattacks.
Unfortunately, that couldn’t be farther from the truth. It shouldn’t be surprising that the theft of patient data is on the increase as this information is significantly more valuable than credit card data, with some reports suggesting a 20x differential. Financial services companies have become very adept at countering credit card theft, specifically by quickly discovering and cancelling compromised credit cards. Medical data, on the other hand, contains dates of birth, social security numbers, and physical descriptions – information that cannot be easily reset.
Of course, a contributing factor to the increasing frequency of healthcare breaches is the digitization of the medical record. While there are several clinical benefits of moving away from paper record systems, it has also made patient breaches, at scale, a grim reality. The race to roll out EMRs has not always been accompanied by a commensurate investment in the security infrastructure to support this environment, leaving some health systems unduly vulnerable.
For the healthcare industry, it was only a matter of time until a Target-scale breach hit a major insurer or hospital group. Last week’s attack on Anthem, best known for their Blue Cross insurance brands, appears to be particularly harmful, with the company acknowledging in a statement that:
“...hackers have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.”
With this information, the threat of identity theft is a real one for consumers whose data was compromised in the breach.
The Anthem hack – similar to most of the high-profile breaches we’ve heard about in the last year – isn’t an indictment of any particular company or even technological solution. Hackers and their tools have become incredibly sophisticated while too many of our systems, in healthcare and elsewhere, simply aren’t keeping up.
As healthcare organizations rethink their security strategies in the face of advanced threats, they need to consider three primary inroads that hackers can use in a healthcare cyberattack.
Malware, phishing schemes, trojans, ransomware – these are the types of cyberattacks that happen to all institutions, though some are more likely to make headlines than others. The healthcare industry often lacks the built-in protections and underlying security mindset of other industries and is thus particularly vulnerable to cyberattacks. Malicious software, whether deployed through targeted attacks, spam, compromised websites, infected mobile devices or otherwise, can not only expose sensitive data but also create expensive IT headaches. In fact, a 2012 Ponemon Institute study found that data breaches cost the average healthcare organization roughly $2.4 million over the previous two-year period.
Connected medical devices
In 2011, the Association for the Advancement of Medical Instrumentation (AAMI) found that the average hospital had 1.4 networked medical devices per bed. Today, everything from IV pumps to heart monitors can be networked and automatically interfaced with EHR systems, providing real-time alerts to healthcare providers. In terms of patient care and operational efficiency, this is a good thing; from a security perspective, however, it’s a potential nightmare.
Countless diagnostic machines, including CT Scanners and MRI machines, weren’t designed with security in mind and often use off-the-shelf operating systems like Microsoft Windows. Other devices typically use purpose-built software designed to collect – not protect – data. Too many of these devices are hackable and, once one of these devices is hacked and compromised, it can provide hackers with unrestricted access to additional clinical data systems. The threats don’t stop there – for instance, researchers have demonstrated how insulin pumps can be hacked to deliver a lethal dose of insulin, posing a direct threat to patient safety.
Personal and home health devices
Connected devices aren’t exclusive to hospitals. An increasing number of home health devices and apps are collecting and transmitting personal health data than ever before. These devices and apps often interface directly with EHR and clinical data systems, increasing risks should those systems become compromised. When everything from an iPhone app to a home glucose monitor can become part of the attack surface, it should become clear just how badly exposed healthcare institutions are.
The bottom line
Healthcare is a $3 trillion industry in the U.S. alone – a true jackpot for hackers. Patient data lives in countless systems in hospitals, medical practices, devices, insurance companies and even HR databases that often include legacy software, purpose-built hardware, troubled insurance exchanges and more. IT is no longer an add-on service for the healthcare industry: it is now core to successful, effective care for our citizens. Health insurers should invest in next generation and high speed firewalls, advanced threat protection, application security and wireless access to help ensure patient data is kept safe. With so much money involved, the Anthem breach may be the largest to date but, unfortunately, won’t be the last.