The health IT industry found a new way to collect its health records, but no one remembered to lock the door. From ransomware to phishing attacks, hackers have continuously targeted the field over the last few years.
“The threat environment — the vectors, the types of attacks, the sources, the actors — are always changing,” David Finn, EVP of Strategic Innovation at CynergisTek, said. “You have to keep an eye on the threats and where they are headed, the trends, movements, developments.”
What is the Achilles’ heel of healthcare? This article outlined the top five security problems in health information technologies, сourtesy of our partners at Belitsoft (a custom healthcare software development company).
Problem #1. Limited spending on cybersecurity
According to the HCIC Task Force report, with the adoption and widespread use of EHR systems, efforts were usually placed on installing hardware and software required to earn the incentives. Therefore, a majority of companies in the healthcare sector made financial investments in cybersecurity only in the last five years.
Many believe that only the large organizations are the target of cybercriminals because of the amount of confidential information they store. Actually, healthcare institutions of all sizes can be compromised due to the interconnected nature of the industry and all members face financial constraints.
“No organization has all the financial resources it needs to employ enough personnel necessary to consistently and confidently protect its networks and data,” 2017 Report on Improving Cybersecurity in the Health Care Industry states.
Indeed, resources needed to hire in-house information security personnel, or designate an expert IT staff member, are insufficient. Healthcare cybersecurity investments compete with other demands, such as the need for new medical technologies, medical staff, and basic supplies.
“A two-person dental office or independent home health care provider cannot establish a fully resourced cybersecurity office that is necessary to stay ahead of cyber threats.”
Problem #2. Patients are handling medical data
Hospitals and doctor’s offices are required to provide health records on a patient’s request. Plus, increasing the demand for patient involvement allows medical offices to cut costs.
Self-services, such as developing web portals for patients to access information online, is helping institutions save but also increase their vulnerabilities.
Growing patient involvement increases exposure to threats. In fact, most users are unaware of the hazards related to mishandling their medical records. They may keep the login credentials for a bank account under close watch but overlook sensitive health data.
Problem #3. High demand for medical records on the black market
A study published in JAMA in November 2018 found that hackers stole 133.8 M patient records between 2009 and 2017. Later, Atrium Health reported that a database of more than 2.6 M billing records of their customers was compromised.
Such strong demand for patients’ medical records that is fueling the numerous cyber attacks is due to the high costs. On the illicit market, the going rate for a stolen social security number is 10 cent. A credit card number can sell for just $1, compared to hundreds of dollars for electronic health records (EHRs).
According to Robert Lord, EHRs contain a wealth of exploitable data, such as demographic, historical, and financial information. There is also data about patient’s past medical history, including every doctor’s visit they have made and diagnoses they have gotten. All this makes the medical record the most comprehensive source about a person’s identity that exists today.
“You can cancel credit cards and change social security numbers, but your EHR is immutable […] If there is a breach, hackers can potentially blackmail you for a lifetime.”
Attackers use various methods for sabotaging healthcare systems from outside, including, for example, spoofing an EHR client to think the access is legitimate; or intercepting messages between EHRs with a man-in-the-middle attack.
Hackers also hijack unprotected EHR systems, change encryption keys to their own, and extort money from hospitals in exchange for returning the access. This type of breach most often affects institutions who need real-time access to patient data for sensitive operations and have to pay up.
However, most attacks and data leaks come from the inside, Lord reveals. They involve doctors and nurses, billing specialists, or administrators who have legitimate access to EHRs but abuse that access for financial gain or are just plain forgetful.
Problem #4. Lack of cybersecurity education
Computer security is largely considered an IT problem, therefore, medical assistants often don’t understand the risk of a data breach. This is partly due to a failure to inform staff members and raise the awareness of cyber threats and the harm they can pose to institutions and above all, to patients.
“At the end of the day security is really a people problem,” Finn said. “Machines don’t click on bad links or provide credentials or leave themselves in cabs or create bad passwords – people do.”
Hospital staff tends to open attachments or click on links from senders they are unfamiliar with. Innocently, they can share personal information or credentials without reading the fine print and verifying the request before sending anything.
Christian Dameff, UC San Diego researcher and emergency room doctor, along with his colleague, Jeffrey Tully, UC Davis security researcher and pediatrician, explained a simulation of what happens when a patient’s medical device gets hacked.
The patient complained about chest pain, so a team of nurses and doctors went through usual procedures to treat him directly reflecting his symptoms. But the victim’s pacemakers was defective and routine attempts to use a magnet to fix the problem didn’t work. As a result, the patient kept dying and rising again because the hacked device kept shocking him at the wrong time.
The simulation showed that engaged clinicians were completely unaware the device had been hacked. Moreover, none of the team had no idea what to do if a device was compromised. Although none of them had been trained in reacting to medical device hacks.
“We rely on an incredible amount of technology to care for patients and trust the technology implicitly to care for our patients,” said Tully. “We’re afraid there’s a storm on the horizon — and it may already be here. Healthcare cybersecurity is no longer really a compliance issue. It’s not only a protecting patient health information issue. Healthcare security is a patient safety issue.”
Problem #5. Encryption deficiency
This is one of the best practices to use encryption to protect data, especially as it passes back and forth between on-premise users and external cloud apps. However, hackers are able to lie low in encrypted traffic, using it as a means to avoid detection. In this case, encryption makes harder for security analytics tools to monitor and reveal breaches and targeted attacks.
“But when it comes to SSL data streams, the devices have no way of interpreting the content of the encrypted traffic and pass it through unchecked, creating a “blind spot” for your security technologies. And hackers know it. Advanced persistent threats (APTs) use imbedded malware to steal data from inside corporate networks and mask that activity using SSL encryption to transmit those stolen records to the outside world.”
Tom Bowers, Information Security Futurist, also adds that more companies use SSL encryption to comply with privacy and data security requirements such as those specified by HIPAA, NIST and other regulatory standards.
HHS officials said that cybersecurity remains a top priority for the agency and emphasized the importance of private-public partnership to protect critical infrastructure. In the near future HHS intends to raise awareness of the community and implement cybersecurity practices across the healthcare field.