Hacking Hospitals: The Present and Future Threat to Your Data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nasdaq.com/article/hacking-hospitals-the-present-and-future-threat-to-your-data-cm383366

Privacy advocates are up in arms about the latest data breach, in which
hackers walked away with 4.5 million patient records after breaking into
servers at Community Health Systems , a national hospital operator that
recently acquired competitor Health Management Associates . The theft,
which included patient names, addresses, social security numbers, and
patient's dates of birth, marks the latest in a string of data thefts at
high-profile companies, perhaps most famously the department store chain
Target .

It's likely this won't be the last theft of patient records. The hospital
industry is waist-deep in shifting away from its decades-long reliance on
metal file cabinets to electronic records that can be shared between a
patient's healthcare providers. Since the healthcare industry will continue
to implement more of these electronic systems, let's learn more about them.

First, a bit of background
Healthcare has maintained its pen-and-paper record system long after other
industries, like banking, have shifted to computers. However, the industry
has hastened to make up for lost time in order to take advantage of
government regulations designed to accelerate the adoption of electronic
health record , or EHR, systems.

In 2009, the U.S. Congress passed the Health Information Technology for
Economic and Clinical Health, or HITECH Act. That act includes a slate of
carrot-and-stick rewards and punishments for healthcare institutions based
on their adoption of healthcare IT systems. Those who implement such
systems receive bonuses, while those who fail to achieve certain levels of
meaningful use of such systems see their Medicare reimbursement rates fall.

The passage of the HITECH act has kicked off a flurry of activity, and
proven a boon to dozens of companies, including market share leaders Epic
System s , Cerner Corp ., and McKesson , which have stepped in to serve the
industry.

Mixed messages
The majority of major hospital systems have already implemented EHR systems
in order to benefit not only from government incentives, but from promised
gains in efficiency and patient care. EHR systems offer a variety of
opportunities for major systems to record, track, and evaluate patient
health, not only individually, but also across larger patient populations.

Records can be shared with primary and specialty care physicians to quickly
identify potential risks, such as drug interactions, or genetic markers
that may help determine which specific medicine to prescribe. These records
can also serve as a treasure trove of analytic data that can be aggregated
and broken out by an endless combination of characteristics that may give
doctors important insight into what therapies produce the best outcomes.

Those advantages, however, also come with risk. Paper systems are
segregated and put in a silo, which means that private data is harder to
steal. And because EHR systems possess such important -- and sensitive --
information regarding individuals, the move toward them is exposing
patients to a far greater risk of being targeted by data thieves.

A big-time breach
The theft at Community Health Systems includes data from patients treated
at any of its more than 200 hospitals during the past five years. Data
thieves could conceivably use the patient data collected during this heist
to steal patient identities by opening credit cards, or taking out loans in
patients' names.

According to the company, cyber security experts it hired determined that
the data breach came from hackers in China that broke into Community Health
Systems' network at some point between April and June.

The future of securing cyber records
According to Reuters , the FBI issued a warning to healthcare providers in
April that their networks could be increasingly targeted by data thieves
because their systems are protected by generally less sophisticated
anti-intrusion technology than other industries, including banking and
retail. The reason for that stems from the industry having a much different
goal than these other industries. While banks and retailers are happy to
keep the data safely embedded within their own networks, healthcare
institutions are keenly focused on sharing their data across networks. That
inherent difference opens the door for more potential ways for hackers to
gain access to patient data.

Adding to the appeal of healthcare records to hackers is that healthcare
data may be more valuable, given that it can potentially be used to fill
fraudulent prescriptions for controlled substances like opiates. According
to Dell SecureWorks, cyber criminals were getting just $1 to $2 for credit
card numbers last year, but were getting closer to $20 for health insurance
credentials.

As a result, while the healthcare industry will deploy counter measures to
reduce the risk of intrusions, hackers will also continue to target
everything from Internet-connected medical devices to online printers to
get their hands on the information. According to cyber security experts at
SANS, a study designed to determine the level of risk to healthcare IT
systems from hackers determined that healthcare providers, like hospitals
and private practices, were the main target of would-be thieves,
representing 72% of all the malicious traffic identified in the study.

Fool-worthy final thoughts
While hackers did walk away with sensitive data, they failed to get their
hands on patients' more detailed health records or payment information.
Patients who find they've had their identities stolen due to the breach
could conceivably sue Community Health Systems under a federal health
records protection law; fortunately, the company has insurance to pay for
just such an eventuality.

And patients worried that their data could still be stolen by the same
malware used this spring at the hospital chain can relax, at least for now.
The company claims it has fully removed the malicious software the hackers
used from its systems. Regardless, it's likely EHR systems are here to stay
given their potential to streamline and improve care, and that means we're
likely to see more attempts to steal that data in the future.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!