Healthcare needs a lesson in cybersecurity 101, report says

As hackers look for an easy target, healthcare could be at the top of their list. According to a recent investigation by the The Washington Post, the rise of electronic health records, other digital health platforms and connected devices has made healthcare more vulnerable to security breaches than almost any other industry.

“I have never seen an industry with more gaping security holes,” Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University, told the The Post. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”

Relative to other industries, including finance and the military, hospitals and medical facilities have been targeted by fewer hacks, the report said, but government officials have recently indicated growing concern. In May, the Department of Homeland Security released a notice warning that while wireless technology can bring efficiency and flexibility to healthcare, it also introduces security risks that the industry may not be ready to address.

The Post  is hardly the first to flag security as a growing problem for healthcare – a study earlier this month from the Ponemon Institute and ID Experts found that a third of health organizations polled don’t have the technology, budget or trained personnel to handle contemporary security challenges. But the article detailed several anecdotes indicating that while the industry is trying to deal with the problem, its culture and technology are behind the times.

For example, it said that doctors and other medical workers at an unnamed institution used the same computers to connect to both the Internet and internal networks, with some staffers leaving computers unattended and unprotected. It also said that the University of Chicago Medical Center recently left itself vulnerable to hackers after posting a document for residents online that included login information for a shared Dropbox account (the University has since closed the loophole).

To date, despite the many vulnerabilities and the many data breaches suffered by hospitals and healthcare institutions, hackers have mostly focused their attention elsewhere. According to a report by GovernmentHealthIT, six of the top 10 breaches were related to a stolen unencrypted laptop and three of the 10 involved an employee or former employee who inappropriately accessed patient information through email or other means. Only one – albeit the biggest incident – involved a hacker who accessed patient information through a Utah Department of Health server.

But as more patient information goes online, larger-scale hack attacks and the threat of medical identity theft – which some say is more costly and difficult to correct than other forms of identity theft – could increase. As it is, some studies indicate that patients are already apprehensive about Electronic Health Records, and for them to get the most out of those platforms and other digital health services, they need systems they can trust.

Some steps forwarded indicated by The Post report, include increased government oversight, particularly more clarity from the Food and Drug Administration (FDA) on its position, as well as more education and investment on the part of the industry.