The FBI has warned that cyberattacks are on the rise - and health care companies are often the target hackers seek. An attack that took place in August on Community Health Systems Inc., the No. 2 publicly traded U.S. hospital group, compounded concern for the pharmaceutical and healthcare industry, according to Reuters. The history of cyberattacks on companies has been littered with examples of lacking security, and it seems as though the heath care sector is now infamous for it.
The attack on Community Health
The FBI has been observing new hackers and intricate malware targeting health care systems and facilities. The information being compromised includes intellectual property like medical device and equipment development data, according to Reuters.
The attack on Community Health by an Internet bug dubbed Heartbleed took advantage of an unpatched network system to break in. Heartbleed managed to compromise patient names, addresses, birth dates and Social Security numbers. Community Health hasn't gone into any detail about the specific attack. However, Security Affairs said rumors indicated the attack was focused on a piece of equipment that hosted the company's network. Reuters additionally mentioned that David Kennedy, an expert in healthcare security, supported that notion. The Washington Post pointed out that hackers could have multiple uses for medical records, from stealing a person's identity to selling a patient's information on the black market. This access to information violates HIPPA privacy and security rules to an extreme.
"If you have someone's medical records - with their name, Social Security number and everything else - you can commit any other kind of identity theft," Sam Imandoust, a legal analyst at Identity Theft Resource Center, told The Washington Post.
Cybersecurity in the health care industry
Why is there such an increase of cyberattacks on the health care industry? An additional article written by Robert O'Harrow Jr. for The Washington Post pointed out that the sector is far behind in cybersecurity.
"I have never seen an industry with more gaping security holes," said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University, as quoted by the news source. "If our financial industry regarded security the way the health care sector does, I would stuff my cash in a mattress under my bed."
O'Harrow highlighted the Peace Corps' use of an open-source electronic records management system called OpenEMR that is extremely susceptible to hackers. Another medical center, the University of Chicago, uses Dropbox for new residents through iPads with only one username and password, according to the article. This is especially risky because the username and password are published online in a manual.
The source added that only after a Post reporter listed these vulnerabilities in detail were any changes made. "The doctors and technicians I spoke with seemed mostly well aware that their systems are vulnerable," Rubin told The Washington Post. "[Health care] is an industry with the least regard, understanding and respect for IT security of any I've seen, and they have some of the most personal and sensitive information of anyone."
The Identity Theft Resource Center recently published a report that showed U.S. health care organizations suffering a breach of 7.9 million records with 301 in total this year. This is an increase from the 4.6 million records compromised in 2013. In the report, health care was the highest affected among the industries studied, with the business sector only suffering 231 attacks in 2014.
"There are basic, basic, Security 101 vulnerabilities we identified. I'm concerned that at some point the hackers are really going to begin exploiting them. And that's going to be a scary day," computer scientist at North Carolina State University Laurie Williams told the source.
These vulnerabilities can be avoided only when the health care industry takes cybersecurity more seriously. The Food and Drug Administration published guidance on cybersecurity in 2005, which is obviously outdated in terms of the advances hackers have made. The FDA is responsible for overseeing medical devices, which is what makes the agency important in terms of the direction to take regarding cybersecurity in the health care industry.
The FDA recommended medical facilities allow their vendors to direct them in cybersecurity. However, O'Harrow noted that vendors often tell hospitals they cannot update FDA-approved equipment, which opens a hole in their systems for cyberattacks. One example of that hole being infiltrated was when a research hacker was able to hack into a glucose monitor that was linked to the Internet, the article pointed out.
When thinking about cybersecurity for any business, health care-related or otherwise, it's important to not leave any doubt as to what can be compromised. Hackers were able to get into something as simple as a glucose monitor, which means other seemingly harmless devices and technology, like business email, should be a top priority for security. Email encryption software and secure email service can ensure that corporate email is safe from cyberattacks and does not suffer the same infiltration the health care industry has faced.
David Bailey is Senior Vice President at Protected Trust.
Protected Trust is a sponsor of the Print4Pay Hotel. I urge members and readers to visit their site to see their full line of products and services. More and more we need to provide well rounded strategic solutions for our customers. Protected Trust offers some unique solutions that can help us in our day to day efforts. Check them out here.