Skip to comments.Health-care sector vulnerable to hackers, researchers say
Posted on 12/25/2012 10:46:51 PM PST by Seizethecarp
As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews.
Security researchers warn that intruders could exploit known gaps to steal patients records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems.
A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems.
I have never seen an industry with more gaping security holes, said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.
Compared with financial, corporate and military networks, relatively few hacks have been directed at hospitals and other medical facilities. But in recent months, officials with the Department of Homeland Security have expressed growing fear that health care presents an inviting target to activist hackers, cyberwarriors, criminals and terrorists.
These vulnerabilities may result in possible risks to patient safety and theft or loss of medical information, a DHS intelligence bulletin said in May.
Security researchers are starting to turn up the same kinds of trivial-seeming flaws that earlier opened the way for hackers to penetrate financial services networks, Pentagon systems and computers at firms such as Google.
(Excerpt) Read more at washingtonpost.com ...
All it takes is a corrupt employee in the hospital system with access to the insurance billing database, so not much "hacking" is actually needed.
One of the main security issues preventing good hospital security is the
desire for LOTS of different doctors in many locations to access patient
information the hospital has so they can see and care for patients in
their office. And being doctors they have this inherent belief that they are
special and that efforts to insure data access is adequate hinders them....i.e.
if they actually have to use their passwords, verify their identity and use the
approved access protocols they are wasting their precious $$$$ time.
Thus they pressure CEO’s to streamline security for their convenience.
They give their passwords and access protocols to their office staff because they don’t want to be bothered with such petty details as network security.
As a PACS admin I field demands from MD’s routinely to ignore methods
designed to secure patient info so that they don’t have to be bothered.
The main security issue in healthcare is the most influential people involved
are more concerned with their needs than with the concept of security.
I worked as a hospital medical transcriptionist for many years until my job was offshored to India 2 years ago. While typing a medical report, I had complete access to all of the patient’s information, such as SSN, address, phone number, and DOB. We were supposedly monitored for “improper behavior,” but no one I know was ever reprimanded for such in more than a dozen years of my hospital employment. However, American transcriptionists face fines of $125,000 for divulging confidential patient info. In contrast, the transcriptionists in India and other third-world, who are now mainly transcribing the medical reports of Americans, face no such fines. Therefore, I fully expect the crime of identity theft in this country to explode in the next year or two as access to patient info is very easy to come by.
In some ways the “news” are tragicomedy.
I work in IT at a healthcare organization, and all I can say is this is absolutely true!
The biggest issue I’ve seen in hospitals tends to be with 3rd party vendor software and applications that are in use by the organizations/facilities. Very often there will be severe design issues with their software that will go completely unaddressed.
The 2nd biggest issue is with end users and their horrible practices on an individual level. A system is never going to be more secure than its dumbest user.
Another HUGE problem is with the government pushing organizations to go electronic, whether their IT departments may be ready or not. Being in IT, I’m all for things being electronic, but if it isn’t gonna be done right, it SHOULDN’T be done! After seeing what I’ve seen first hand, I’m VERY apprehensive about where I go to seek medical care, if I even seek it out at all! All it takes is for a system to get compromised, and your life could be ruined, or made VERY difficult.
Oh, what you said is SO true.
I couldn’t tell you how many remote offices I’ve seen where virtually every person working in their office just uses the physician’s credentials to access patient data(because he gave it to them all) for the reasons you stated! If anything is attempted to remedy the situation, the office staff gets pissed, which eventually leads to the physician being pissed, and before you know it, he’s in the CEO’s office bitching! In such cases, probably 90% of the time, the CEO will order the IT folks to accommodate and make the doctor happy, security be dammed.
Duh. They can’t protect classified secrets. How the eff are they gonna protect anything else? ANYTHING put on the net by anyone anywhere can be ‘hacked’ as they so routinely call it.
Have your computers and/or software made in frikking China and you can take it to the bank. And yet they still insist that you can ‘secure’ the unsecurable.
There was a program developed to secure bank transactions, among other things, that was virtually uncrackable. Guess what. The banks refused to use it because it would have exposed their own corruption...ditto gov agencies.
Sure, SOX was supposed to obviate this. SOX only makes it a colossal nuisance for honest people.
I’m SHOCKED, I tell you, SHOCKED. How could the government let private data be so vulnerable?
IE, the patients get screwed over royally.
EMR’s are a disaster. They bring few benefits that are not worth the enormous cost.
My company provides IT security and HIPAA compliance to hospitals. EHRs have helped security a great deal.
Yes there are risks but they are manageable. I see many more security problems with the areas outside of the EHR systems.
Doctors ignoring the rules. Administrators refusing to provide budget to fix the problem. IT people who refuse to change the way they work.
As someone who has to USE. The crappy software to treat actual patients I hate the software we have. It’s horrible for the end user clinician, extremely unuser friendly. But our IT people like it. Great let THEM try and take of patients with the crap.