The use of electronic medical records is on the rise, with 54% of physicians using an electronic health record system as of 2011. The 2009 Health Information Technology for Economic and Clinical Health Act provides Medicaid and Medicare incentives to healthcare providers who adopt these systems.
With an increasing number of patient records available in this format, many cyber criminals are moving to exploit the available data. Other types of medical technology, such as wirelessly connected medical devices, are open to cyber-attacks as well. Here are just a few ways cybercriminals are targeting the healthcare industry.
Identity Theft from Healthcare Provider Files
Healthcare providers are increasingly turning to cloud computing and digital data management for their patient files. The days of paper folders are soon coming to a close, but this puts patient data at risk from savvy cyber criminals. One study revealed over 49,900 malicious events among medical providers, business associates, pharmaceutical companies, insurance providers, and claims clearinghouses between September 2012 and October 2013.
Approximately 72 percent of the malicious traffic was associated with provider networks. Your doctor, dentist, or medical specialist could easily become the target of one of these attacks. The study found that many organizations never detected the malicious activity, while others took months to realize that they were compromised.
This study pointed out the dramatic vulnerability of the healthcare industry to cyber criminals. Hackers can gain access to patient names, addresses, medical information, and personal financial data through their medical files.
Ransomed Information from Healthcare Providers
Medical information is worth a great deal, particularly to the providers who collect, maintain, and protect it. Some cyber criminals have taken advantage of this, figuring that the data they can steal may well be more valuable to its original owner than anyone else. Multiple cyber criminals have taken to ransoming their stolen data.
An Australian medical clinic fell victim to this type of attack in 2012, with hackers demanding a $4,200 ransom for the return of the clinic’s medical files. Medical facilities are not the only target for this type of theft. Another Australian business had to pay a $3,000 ransom for the return of financial records. While anyone can fall prey to these hackers, the urgent need that a medical provider may have for his patient’s files, makes this industry more vulnerable than most to ransom demands.
In most cases, hackers using this approach will not steal the target’s data, but rather insert a virus that encrypts it, making it inaccessible. The hackers then refuse to provide access to the files until a ransom is paid. Authorities recommend that those targeted contact the police for assistance before giving in to a ransom. However, the mere idea that criminals could render one’s medical information inaccessible when it’s needed the most is a sobering one.
Data Theft from Government Sites
The delayed launch of the healthcare.gov site revealed many errors and weaknesses in the site’s design. Though the site is now up and running, experts contend that patients’ information is far from safe. David Kennedy, the head of computer security firm TrustedSec LLC, pointed out over 20 flaws in the site’s security as of early 2014.
In just five minutes, Kennedy designed a program that collected data from approximately 70,000 records. The program’s execution took just four minutes. All this was done without hacking the site, because the government keeps the data blatantly available to anyone who knows how to search for it. Arguments for the safety of the site have focused on the belief that hackers won’t see the value in this data and will instead focus their efforts elsewhere.
The stunning accessibility of this information makes it a prime target for hackers. With limited know-how, it’s possible for amateur criminals to gather information about people who use the healthcare.gov website. This instance underscores the fact that it isn’t only the extremely cyber savvy who can make use of individuals’ personal data.
Medical Device Hacking
One of the most terrifying threats in the medical community is medical device hacking. With the right knowledge, hackers can gain access to implanted medical devices such as pacemakers. Though there are no recorded incidences of this type of hacking, some individuals have demonstrated that it is possible.
Medtronic, Boston Scientific, and St. Jude Medical were all attacked by hackers in the first half of 2013. These are three of the biggest medical device manufacturers in the country. The target of these attacks is unknown. Medical device manufacturers have a wealth of proprietary information on their technologies that would be invaluable to competitors. Certain signs indicated that these attacks may have come from China.
Many medical devices, including insulin pumps and pacemakers, are now connected wirelessly to provider networks. While this allows doctors to provide emergency medical assistance from afar, it also makes these devices vulnerable to a hacker’s attack. A high dose of insulin or electrical shock to the heart could prove fatal.
Internal Hacking and Sale of Information
Disgruntled employees can pose a serious threat in the healthcare industry, where information is easily hacked from the inside by employees with proper credentials to get past the first few safeguards. A Florida Hospital employee stole data from more than 700,000 patient records in 2011 and sold the information to interested parties. Businesses providing attorney and chiropractic services, for example, were interested in information on patients who were recently treated as a result of a car accident.
In February 2014, information from three major hospitals in Shanghai was stolen and sold to pharmaceutical companies. These hackers were also insiders who had access to the hospital’s systems. Wireless networks made the job possible from one hacker’s car, where he used a laptop.
The medical data industry is projected to reach $10 billion by 2020. With so much money exchanging hands for patients’ medical information, it seems inevitable that enterprising criminals will want to get their hands on some of the cash.
Keeping information safe is a prime concern for both patients and healthcare providers, with many important considerations to address in the coming months and years.