Healthcare lags other industry sectors in security practices and is highly vulnerable to hacking, a yearlong investigation by the Washington Post concludes.
"I have never seen an industry with more gaping security holes," Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University told the Post. "If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed."
The Post article follows one published in the journal Telemedicine and e-Health warning that healthcare could be a cyberterrorism target and an October meeting of a medical-device panel at the National Institute of Standards and Technology Information Security and Privacy Advisory Board that discussed how the rampant malware found on medical devices could be used by hackers.
Hackers generally are looking for financial information from which they can make a profit, rather than patients' lab results, for instance, according to a Verizon report, but the potential exists to interfere with various hospital systems and to undermine confidence in patient information stored electronically.
Verizon Chief Medical Officer Peter Tippett told the Post that healthcare ranks near "the bottom of the list" of industries in terms of cybersecurity. Rubin pointed to the routine failure to fix known software flaws in aging technology and a culture in which healthcare workers routinely opt for convenience rather than compliance with basic security measures--such as passwords--as reasons for such a dubious distinction.
Residents managing patient care at the University of Chicago Medical Center, for instance, were using an unsecured Dropbox site with a single user name and password that were published in an accompanying manual. (That's changed, since the Post's inquiry, according to the article.)
The U.S. Food and Drug Administration has urged hospitals to look to vendors for guidance on security of sophisticated devices, according to the Post. Vendors, however, sometimes tell hospitals that they cannot update FDA-approved systems--an argument similar to that highlighted in a recent Wall Street Journal article about denying patients access to their own data from implanted defibrillators and heart monitors.
The industry has focused attention on the problem of securing electronic information and is playing catch-up. A recent report from the HHS Office of Inspector General urged HHS to play a more active role in educating physicians about protecting patient data in electronic health records.
To learn more:
- read the Post article