The health care sector is an especially attractive target for cyberattacks, and especially vulnerable due to its weakest link: the supply chain.
That’s the conclusion I drew following a recent interview with Al Berman, president of Disaster Recovery Institute (DRI) International, a non-profit organization in New York that helps companies prepare for and recover from disasters. Berman explained the health care supply chain problem this way:
The thing that you start to look at with more sophisticated cyberattacks is the number of vendors that they’re using. If you go back to the Target attack, which was really perpetrated by infiltrating one of their vendors, you start to look at the number of people who are attached to health care providers—all of the pharmaceutical houses, all of the medical suppliers, hospital centers. It’s a lot easier target, because all you have to do is find a vendor that tends to be very vulnerable, and is not putting the same emphasis [on security] that you see in health care.
According to Berman, all of this speaks to the importance of properly vetting suppliers:
More and more vulnerabilities are coming from suppliers, so you need a really good vetting process to understand exactly what the vulnerabilities are. I think you’re seeing that coming out in HIPAA regulations compliance, which has put this as one of the key issues in risk management for health care organizations in general.
Berman went on to explain why the health care sector is a particularly attractive target for cyberattacks:
If you look at what’s at stake, health care records tend to have more information than almost any other kind of records. For example, if you were to attack an HMO or a hospital, not only are you likely to get the person’s name and address, but you’re also likely to get their social security number; you’re likely to get their date of birth, names of relatives, a lot more information. The value of stolen cyber information really depends on how thorough the information is—the more thorough the information is, the more valuable it is on the open market for selling this information. When you steal from health care records, you get almost everything—the medication they take, all the illnesses. So if you really are trying to sell that information for somebody else to use for identity or financial theft, you get a really complete package that you don’t get from a lot of other places.
If there’s any good news, it’s that health care organizations are taking the issue seriously, Berman said:
If you look at the regulatory requirements of HIPAA and CMS [Centers for Medicare & Medicaid Services], for example, there are severe fines for breaches of electronic patient history information. So I think they do take it very seriously—I just think it’s a difficult battle for hospitals, probably more so than HMOs, simply because they’re more vulnerable. It’s a financial issue—how much money can you spend on this? Whereas a brokerage house may spend $350 million protecting its financial assets, it’s hard to believe a hospital or HMO would do the same.
Berman wrapped up the conversation by stressing the essential nature of recognizing and dealing with risks associated with the insider threat:
We tend to look at this as high tech used by really sophisticated people, but a lot of these threats are coming from inside. A lot come from pure stupidity—some of the earliest cases of vulnerabilities stemmed from people losing laptops with information on them. We’ve seen this where it’s just been pure carelessness—a lack of concern for the information. So I think there’s a need for education, to talk to people about protecting information—making employees aware of the importance of not using corporate computers for private means, where somebody is out there phishing and gets some information, or somebody uploads a virus, especially through social media, which everybody knows is becoming a real vulnerability. … I know it’s something that health care organizations are working on.
A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.