Medical Industry Among 'Most Vulnerable' to Cyberattack
A new report by the Washington Post shows that health care is "among the most vulnerable industries in the country" when it comes to the protection of sensitive patient data.
Experts told the Post that the industry's failure to address known problems puts patients at risk of fraud and identity theft and makes medical infrastructure susceptible to disruptive attacks that could cripple critical systems.
"If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed," said technical director Avi Rubin of the Information Security Institute at Johns Hopkins University. "I have never seen an industry with more gaping security holes."
Hospitals and other medical facilities have not been targeted by hackers to the same degree that financial institutions and corporate and military targets have, but the wealth of patient information that can be used to commit fraud and identity theft — credit card numbers, Social Security numbers, birth dates, addresses — could make them an attractive target, as could the sensitive nature of personal medical information.
The Post attributes the problem to the industry's desire to embrace the convenience of modern technology without knowing how to do it safely.
In one instance, the University of Chicago managed patient care through an unsecured dropbox with one username and password made readily available online.
In another, a researcher easily took over an electronic medicine cabinet via his Web browser. Rubin said the industry is generally remiss in fixing known security flaws and has a culture that favors convenience over even basic security protocols such as passwords.
Rubin said he found doctors and other employees connecting to the Internet and secure networks on the same devices, giving attackers a "pipeline" to the sensitive data.
Lax security, combined with a lack of guidance from the government on how the industry can and should improve, has further complicated catching up. The Food and Drug Administration, charged with regulating medical devices, last issued guidance on cybersecurity in 2005.
"A lot of people are very confused about FDA’s position on this," FDA compliance expert John Murray Jr. told the Post.
Meanwhile, according to the Post, there are hundreds of known vulnerabilities in widely used record keeping software systems that can be easily exploited by someone with a low level of technical proficiency.
Thus far, most medical data breaches have been the result of stolen devices such as laptops, but as the industry increasingly embraces wireless technologies and stores records digitally, shoring up network security is paramount.