Though less common than breaches from lost laptops or other devices, hacking is on the rise in healthcare, experts say. Fending off cyber criminals, however, should go beyond treating security as a routine matter of protecting patient privacy, according to a recently published research report from CSC's Global Institute for Emerging Healthcare Practices.
"It needs to be more of an ongoing, constant, holistic type of approach where you're looking at your systems from the perspective of someone on the outside," lead author and senior research specialist Jared Rhoads, pictured, told FierceHealthIT, speaking about the risk assessments the report recommends.
Rhoads described hacking as "still the kind of thing that statistically won't happen to you yet," but that "is happening often enough that we're taking notice of it." A recently published Wired article hypothesized that as health data increasingly is pushed online, hacking becomes less a question of "if" and more a question of "when."
Examples from the past year show hackers can wreak havoc. Among them:
- The Utah Department of Health announced last spring that hackers based in Eastern Europe had broken into one of its servers and stolen personal medical information for almost 800,000 people.
- At Indiana University Health Goshen Hospital last winter, a virus was discovered on a server, potentially exposing information on 12,374 job applicants and fewer than 500 patients.
- Froedtert Health in Milwaukee in February notified roughly 43,000 patients that protected health information may have been compromised from systems also infiltrated by a computer virus.
How hackers gain access
Healthcare data breaches, in the end, are similar to other cyber crimes perpetuated by hackers searching for financial information from which they can make a profit, according to a Verizon report published last fall.
Hackers generally crack into hospital systems through poorly configured tools and software, Rhoads said. Indeed, Utah officials involved in the above-mentioned situation admitted their system still had the factory password.
What's more, in a hypothetical scenario outlined in an article published in the December in the journal Telemedicine and e-Health, researchers wrote that hackers could use phishing emails to introduce malware into hospital networks. Over a series of weeks, the authors wrote, the hackers could use a series of small, hard-to-detect incursions that could infect patient record databases, mobile devices and, eventually, medical monitors and drug infusion pumps.
The BYOD trend, according to a CSC article written earlier this year, also presents a whole new rash of security vulnerabilities.
The risks cannot be ignored. The Ponemon Institute put the average cost of identifying and notifying affected individuals--now mandatory under the law--at $214 per record, and the average settlement cost of a medical identity case at more than $250,000, the CSC report notes. And the Office for Civil Rights in January levied its first penalty--$50,000--for a HIPAA breach affecting fewer than 500 people.
Security compliance regulations should be the minimum
Hospitals and healthcare organizations traditionally choose to base their security efforts on complying with state and federal regulations, according to the CSC report. Instead, it says, such laws should be considered the "floor" for such efforts, rather than the "ceiling."
Hiring so-called "ethical hackers" is one way to put fresh eyes on your system's security, and to go above and beyond what the law requires, according to Rhoads.
"Some of them used to be hackers and they know how to think like hackers--they're experts at security who will say, 'How would I gain access to this organization?'" Rhoads said. "They will promise not to do anything bad, but they'll test your systems as if they were a hacker."
Managed security service providers are another option for small hospital IT staffs with way too much on their plates to keep up with the latest threats. Indeed, most breaches go on for months before they're discovered, Rhoads said.
With regard to BYOD, health leaders, the report suggests, should not try to fight the trend. Instead, it says, sound policies should be developed and security training implemented to help workers effectively do their jobs. It advocates multi-factor authentication over systems that require passwords.