“Hackers can engage in widespread theft of patient information that includes everything from medical conditions to Social Security numbers to home addresses, and they can even manipulate medical devices used to administer critical care,” Barbara Filkins, a senior SANS analyst and healthcare specialist who wrote the report, said in a release.
The majority of those targeted were healthcare providers, although health plans and pharmaceutical companies have also been attacked. And not all of the victims are even aware that their systems are under siege.
The report's findings shouldn't come as a surprise to anyone familiar with vulnerabilities in healthcare IT, said one security expert.
“Since 2009, the industry has matured in this process to digitize all of our health information. The security around the network was not adequate before, but wasn't much of an issue since there wasn't much data there,” said Mac McMillan, chairman, CEO and co-founder of CynergisTek, a Texas-based IT security firm. “Now the data is there, and unfortunately it's very valuable.”
The value of someone's medical identity can be 50 times that of a person's financial identity, primarily because it's not perishable, McMillan estimated. “If someone takes your medical history and starts using it, it's not like your credit card number. You can't cancel your history and issue a new one,” he said. Stolen medical identities can be used for billing fraud and medical-care fraud. Patient records that include date of birth and Social Security numbers can be used for identity theft.
Thanks to that financial motivation, Daniel Nutkis, founder and CEO of HITrust, says he has seen an uptick in both the number and sophistication of attacks on the healthcare industry.
“We know the defenses are not where they should be,” Nutkis said.
The Norse report suggests that security flaws as simple as using default administrative passwords are to blame for some of the compromises.
McMillan says those failures land on leadership. “Leadership has got to recognize that security is a priority and make sure they've got the right people with the right amount of resources to get the job done correctly,” he said. “Until they do that, the industry is going to struggle.”
Still, McMillan and Nutkis say that some organizations are getting it right in recognizing the risks to security and reputation and the risk of compliance-related penalties, and are allocating the necessary resources upfront to protect their cyberpresence.
Hacking incidents were involved in about 8% of the 841 healthcare information breaches reported to HHS' Office for Civil Rights and publicly posted on its “wall of shame” website since September 2009 pursuant to a mandate in the American Recovery and Reinvestment Act of 2009.
Slightly more than 30 million individuals' records have been exposed by all breaches reported to the site; nearly 2.6 million of the exposures can be attributed to 69 breaches in which hacking was listed as a possible cause.
The largest hack, exposing an estimated 780,000 patients' records in the Utah Medicaid and children's health programs, occurred in 2012 when records kept by the Utah Department of Technology Services were compromised by what were suspected to be foreign cyberinvaders.
Public records show, however, that multiple hospitals and several medical practices also have been hacked, with some incidents exposing records of more than 100,000 patients.
Follow Rachel Landen on Twitter: @MHrlanden