“I have never seen an industry with more gaping security holes,” said Avi Rubin, a computer scientist and technical director of the Information Security Institute at JohnsHopkinsUniversity. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.” (Health-care sector vulnerable to hackers, researchers say) Clearly, hackers have already begun to figure this out. Last year, the healthcare sector passed the business sector in the number of cyber attacks. In fact, it wasn’t even a close contest. Healthcare organizations totaled 43% of all attacks, while business was a distant second with 34%. (Identity Theft Research Center)
According to the Poneman Institute, an estimated 1.84 million people were victims of medical identity theft in 2013. Most of the cost of these attacks had to be absorbed by the healthcare industry itself. However, approximately 36% of the victims had to pay for some of this out of their own pockets. Needless to say, this left the healthcare industry open to lawsuits and other legal penalties. It also lowered the confidence of the general public in all healthcare organizations.
When Rubin began his research into the healthcare sector he quickly reached one conclusion. Health care “is an industry with the least regard, understanding and respect for IT security of any I’ve seen, and they have some of the most personal and sensitive information of anyone.” Apparently, and somewhat surprisingly, healthcare workers realized they were vulnerable to attack. One of the possible reasons for this lack of concern with security could be that hospital employees are overworked and may prefer taking security shortcuts to save time. Thus, password protection is bypassed, software upgrades are ignored, and virus scans are put off.
Among some of the most glaring security lapses that researchers found were workers connecting to the internet through the same devices they used to connect directly to the company network. This gives hackers a direct line into organization data. The University of Chicago Medical Center used an unsecure Dropbox site for new residents to manage medical records through their iPads. Fortunately, the researchers found this flaw before hackers did. If they hadn’t, hackers could have tricked users into opening infected PDF files which could contain code that would give them access to all of the medical center’s records. As healthcare centers and hospitals rush to embrace tablet use and BYOD (Bring Your Own Device) policies in their workplaces, security levels will show a corresponding decline. This may be already occurring as 61% of healthcare organizations reported a security breach in the past year.
But why would hackers want access to medical records? There could be a number of reasons. They may want specific information about patients to enable them to get certain drugs, they may be looking for technological information, but, more often than not, the goal is money. Personal information is personal information, no matter where it comes from, and personal information can be sold. Each item of information can be sold from between $10 to $20. At first glance, this might not seem like much, but when you consider such hacks as that which occurred on the network server at the Utah Health Department which compromised 780,000 patient records, you’re talking of millions of dollars worth of information.
It is no wonder, then, that there is an air of panic beginning to take hold of the healthcare industry. Many are just throwing up their hands and opting for cyber insurance to give them some protection from data loss. (More firms buying insurance for data breaches) Others are trying to shore up weak security protection with the latest software solutions, but software solutions are only a stopgap measure as all software is ultimately hackable. So far, only InZero System’s WorkPlay Tablet offers a hardware-based solution to the security problem.
In the end, healthcare organizations have a right to be pessimistic. Attacks on healthcare are expected to rise rapidly. (Serious wave of cybercrime ahead, experts warn) As Laurie Williams, security researcher at North Carolina State University, observed, the healthcare industry is on the brink of a serious and widespread attack. Speaking of the number of security gaps she discovered, she remarked, “I’m concerned that at some point the hackers are really going to begin exploiting them. And that’s going to be a scary day.”