“Electronic health records are prime targets because healthcare organizations lack the resources, processes, and technologies to protect them. And it’s only going to get worse”…InformationWeek, OnLine Commentary by Rick Kam and Larry Ponemon, May 27, 2015
The scary prediction posited by the above quote has already become reality, according to 63 percent of those who responded to a recent healthcare industry survey. Respondents reported they had either been hacked or comprised in some way. According to Maria Korolov in a CIO piece, the healthcare industry holds the unenviable position as “the highest of any industry vertical studied.”
Why attack the caregivers?
What’s in it for the hackers? Kam and Ponemon, quoted at the beginning of this article, point out that healthcare records are a veritable “treasure trove” of information that is easily accessible. That treasure trove consists of detailed personal, credit, and protected health information–and it is all in one place. When hackers sell this data on the black market, they earn about 12 times the rate of return for stolen credit card information.
The head of the FBI’s Cyber Division Section, John Riggi, points out other uses for stolen medical data. Hackers can use illicit personal health information as a basis of other types of fraud: identity theft, tax fraud, prescription and medical device fraud, and Medicaid scams, among others.
Medical data is their lifeblood
In his article, Why hospitals have become prime targets for ransomware attacks, Christian Science Monitor Jack Detsch, points out that hospitals are dependent on outdated software and old computer systems. Healthcare professionals are best at treating patients and don’t do computer security all that well.
Hospitals have old equipment and software
Andrea Peterson writes in The Washington Post that part of the problem in hospitals and doctors offices is “a mishmash of different types of equipment running different types of software.” That eclectic IT environment is not conducive to applying standard security practices and software patches and updates.
Then there is the absolute dependence that the healthcare industry has on its electronic records, patient accounts, medication, billing, and electronic monitoring–their own specialized IoT (Internet of Things). Rather than steal the data, overseas hackers have devised a way to cripple it hold it for ransom.
Pay up or lose data
Ransomware perpetrators rely on social engineering and, among other methods, send their malware traps via attachments or booby-trapped links to innocent looking emails. The unwitting employee who opens the attachment begins a nightmare scenario where hospital computer files become encrypted and useless without the encryption key.
The “ransom” part is that the victims must pay to regain access to their data. One Los Angeles hospital actually forked over $16,664 in 40 untraceable bitcoins after hackers disabled its computer network. Hospital administrators, desperate to get everything back on line, decided to pay.
A warning for the healthcare industry
Kam and Ponemon point out that cyber security experts are rating healthcare providers “at the bottom of other industries” assigning them a letter grade of C or D. They warn that healthcare organizations need to be as good at protecting patient data as the hackers who are trying to attack it.
If that doesn’t happen, they foresee “a tsunami of healthcare data breaches and medical identity theft.” Their chilly warning: “This is just the tip of the iceberg.”