ATLANTA – The information security service SecureWorks, which protects 82 healthcare companies in the United States, reported last month that attempted hacker attacks aimed at its clients doubled in the fourth quarter of 2009.
While the first nine months of the year averaged 6,500 attack attempts per day, the last three months saw that number leap to 13,400, SecureWorks reports. Most striking about those figures is that other companies protected by the firm saw no similar increase.
"Healthcare happens to be a good target for hackers because it has a lot of different types of information," Beau Woods, solutions architect for SecureWorks, tells Healthcare IT News. "If you go into a billing system, one of the things you could potentially get out of there is credit card information, name and address, and social security information to create fake identities - but also health insurance information: Medicare, Medicaid, etc."
SecureWorks says the most worrisome attempted breaches involved the most recent version of the Butterfly/Mariposa Bot malware, which, if it infects a computer, can be used to harvest data from the victim’s browser (passwords, etc.) and launch denial-of-service attacks. It can also be spread to other computers via peer-to-peer networking and USB devices.
The news comes at a critical moment for healthcare systems security, as hospitals, care centers, and their business associates try to meet the security rules mandated by the HITECH Act - something for which "most organizations are at best partly prepared," as Rob Seliger, CEO of Sentillion, an identity and access management technology company, told Healthcare IT News this past November.
Indeed, a survey this fall by HIMSS Analytics revealed that, while 87 percent of health providers were aware of the need to meet new security requirements put forth in the federal Health Insurance Portability and Accountability Act (HIPAA), just one third of their business associates were.
“Business associates could represent a risk to healthcare organizations, especially hospitals,” said Lisa Gallagher, senior director, privacy and security, HIMSS.
Meanwhile, the survey found, 50 percent of large hospitals experienced at least one data breach in 2009, and 68 percent felt that the HITECH Act's expanded breach notification requirements would result in the discovery and reporting of more such incidents.
While outside malware attacks spark the most concern and grab the most attention, Seliger says that "the real risk is within the four walls, is not bad people trying to break in." Most breaches are perpetrated by "caregivers working within the enterprise,"who – whether motivated by malice, curiosity, or unfamiliarity with security protocols – gain unauthorized access to records, he notes.
Such vulnerability could be worrisome to providers considering the switch to electronic medical records. But Woods hopes they won’t be deterred from the effort. "The effort to move over to EMRs is about trying to save lives," he says. "I hope people don’t abandon their attempts to go to electronic medical records because of these threats. You just want to protect that information once it's there. [Hospitals] should just do more up front and make sure they're securing their systems."
