Healthcare organizations are increasingly under attack from cybercriminals seeking to gain access to patient data and to Internet-connected medical devices, according to a report released today
Devices and networks at 375 healthcare-related organizations were compromised between September 2012 and October 2013, according to the Health Care Cyberthreat Report, published by San Mateo, Calif.-based cybersecurity firm Norse Corp. and the SANS Institute, a security research institute in Bethesda, Md. That includes breaches
that result in everything from the exposure of patient data to the potential exploitation of radiology imaging software, videoconferencing systems and mail servers.
“Hackers can engage in widespread theft of patient information that includes everything from medical conditions to Social Security numbers to home addresses, and they can even manipulate medical devices used to administer critical care,” Barbara Filkins, a senior SANS analyst and healthcare specialist who wrote the report, said in a release
The majority of those targeted were healthcare providers, although health plans and pharmaceutical companies have also been attacked. And not all of the victims are even aware that their systems are under siege.
The report's findings shouldn't come as a surprise to anyone familiar with vulnerabilities in healthcare IT, said one security expert.
“Since 2009, the industry has matured in this process to digitize all of our health information. The security around the network was not adequate before, but wasn't much of an issue since there wasn't much data there,” said Mac McMillan, chairman, CEO and co-founder of CynergisTek, a Texas-based IT security
firm. “Now the data is there, and unfortunately it's very valuable.”
The value of someone's medical identity can be 50 times that of a person's financial identity, primarily because it's not perishable, McMillan estimated. “If someone takes your medical history and starts using it, it's not like your credit card number. You can't cancel your history and issue a new one,” he said. Stolen medical identities can be used for billing fraud and medical-care fraud. Patient records that include date of birth and Social Security numbers can be used for identity theft.
Thanks to that financial motivation, Daniel Nutkis, founder and CEO of HITrust, says he has seen an uptick in both the number and sophistication of attacks on the healthcare industry.
“We know the defenses are not where they should be,” Nutkis said.
The Norse report suggests that security flaws as simple as using default administrative passwords are to blame for some of the compromises.
McMillan says those failures land on leadership. “Leadership has got to recognize that security is a priority and make sure they've got the right people with the right amount of resources to get the job done correctly,” he said. “Until they do that, the industry is going to struggle.”
Still, McMillan and Nutkis say that some organizations are getting it right in recognizing the risks to security and reputation and the risk of compliance-related penalties, and are allocating the necessary resources upfront to protect their cyberpresence.
Hacking incidents were involved in about 8% of the 841 healthcare information breaches reported to HHS' Office for Civil Rights and publicly posted on its “wall of shame” website since September 2009 pursuant to a mandate in the American Recovery and Reinvestment Act of 2009.
Slightly more than 30 million individuals' records have been exposed by all breaches reported to the site; nearly 2.6 million of the exposures can be attributed to 69 breaches in which hacking was listed as a possible cause.
The largest hack, exposing an estimated 780,000 patients' records in the Utah Medicaid and children's health programs, occurred in 2012 when records kept by the Utah Department of Technology Services were compromised
by what were suspected to be foreign cyberinvaders.
Public records show, however, that multiple hospitals and several medical practices also have been hacked, with some incidents exposing records of more than 100,000 patients. Follow Rachel Landen on Twitter: @MHrlanden