In December another Queensland based medical practice reported that they were being held to ransom by a hacker based in Russia demanding several thousand dollars for the release of their computers and databases. When I say ‘another’ it is understood that at least 11 practices have been the victims of this type of threat in 2012. It’s unknown exactly how many have actually been affected; these are just the ones that were reported to police.
So when I saw this article I just had to share this with our clients as this is such a critical issue for our industry right now.
Health-care sector vulnerable to hackers, researchers say
As the healthcare industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews.
Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems.
A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems.
“I have never seen an industry with more gaping security holes,” said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”
Compared with financial, corporate and military networks, relatively few hacks have been directed at hospitals and other medical facilities. But in recent months, officials with the Department of Homeland Security have expressed growing fear that health care presents an inviting target to activist hackers, cyberwarriors, criminals and terrorists.
“These vulnerabilities may result in possible risks to patient safety and theft or loss of medical information,” a DHS intelligence bulletin said in May.
Rubin has documented the routine failure to fix known software flaws in aging technology and a culture in which physicians, nurses and other health-care workers sidestep basic security measures, such as passwords, in favor of convenience.
Another researcher found that a system used to operate an electronic medicine cabinet for hospital prescriptions in Oklahoma could be easily taken over by unauthorized users because of weaknesses in the software interface.
The University of Chicago medical center operated an unsecure Dropbox site for new residents managing patient care through their iPads, using a single user name and password published in a manual online.
“There are basic, basic, Security 101 vulnerabilities we identified,” said Williams, who was among a team of researchers that identified numerous security flaws in several electronic heath records systems two years ago. “I’m concerned that at some point the hackers are really going to begin exploiting them. And that’s going to be a scary day.”
A lingering issue
Questions about the cybersecurity of medical systems have been simmering for more than a decade. But the issue has intensified as hospitals embrace wireless devices and electronic records. Some health-care officials assumed that their networks were too obscure, or offered too few financial enticements, to be of interest to hackers.
Information technology executive Peter Tippett, the chief medical officer for Verizon, said the threat from cyberspace should not be overstated. Simple theft of laptops and other devices make up the bulk of incidents.
“The fact is, there aren’t many attacks,” said Tippett, who oversees ICSA Labs, an independent division of Verizon that tests electronic health records systems and other security products for government certification. “The bad guys so far at least have been looking for money.”
On March 30, a hacker broke into a network server at the Utah Health Department, gained access to Medicaid data about 780,000 people and stole an undetermined number of records. Authorities traced attackers to computers in Eastern Europe. Utah officials acknowledged the breach and said they are taking extensive measures to protect patients against identity theft.
Three years ago, Rubin, the Johns Hopkins researcher, began assessing systems at major hospitals and clinics, making visits to operating rooms and intensive-care units.
He found that doctors and medical workers used the same computers to connect to both the Internet and internal networks. Rubin said doctors become “a pipeline for attackers into the sensitive networks.”
One nurse told Rubin that she had the job of typing in a physician’s password constantly so that the doctor would not have to, leaving the unattended machine unprotected. “She literally walked around the room logging the doctor into every machine, every hour,” Rubin said. “Unbelievable.”
“The doctors and technicians I spoke with seemed mostly well aware that their systems are vulnerable,” said Rubin, who has previously found security problems in voting machines. He said that health care “is an industry with the least regard, understanding and respect for IT security of any I’ve seen, and they have some of the most personal and sensitive information of anyone.”
Merdinger found a manual for the iPad initiative posted online, publishing a single user name and password for all the residents to use a shared Dropbox account.
The idea was to promote collaboration!
This is such a serious issue that we’re creating a seminar in February for our clients based in the Waikato to highlight exactly what the reality is and what you can do to minimise your risk of exposure to hackers and online corruption.