Security experts have a lot of concerns and added responsibilities as connected devices, large and small, burrow their way ever deeper into people’s lives. Nowhere is the increasing need for oversight greater than in health care.
This week, the Workgroup for Electronic Data Interchange (WEDI) released a primer on how a health care organization should protect itself in cyberspace. In its story on the primer, Health IT Security carries a statement from WEDI President and CEO Devin Jopp illustrating the acceleration of health care compromises. From 2010 to 2014, 37 million health care records were compromised in breaches. That sounds like a lot, until it is considered that there were 99 million compromises in just the first quarter of this year. The primer has sections on the lifecycle of cyberattacks and defense, the anatomy of an attack, and ways of “building a culture of prevention.”
Those attacks were aimed at gathering patients’ financial and related data. Another health care vulnerability – and one that is in many ways even more frightening – is attacking connected health care devices in order to hurt people. For some reason, there are people in this world who find it okay to interfere with a heart patient’s pacemaker.
Dark Reading discusses a report that looks at hybrid initiatives in which crackers attack medical devices – but do so in order to gain access to financial and personal data:
A report by TrapX scheduled to publish next week reveals three cases where hospitals were hit by data breaches after their medical devices had been infected with malware backdoors to move laterally within the health care network. In all three cases, the hospitals were unaware that these devices–a blood gas analyzer, a picture archive and communications system (PACS) and an x-ray system–were infiltrated with malware. The devices were spotted when TrapX installed its sensor-based technology in the hospitals, which TrapX declined to identify by name.
The details of the attacks were different. The bottom line is that once crackers get behind the firewall, they are capable of doing much damage. There also are no silver bullets or absolutes. In a Q&A with Healthcare Informatics, Reid Stephan, the chief information officer for St. Luke’s Health System in Boise, Idaho, said that the keys are to accept that breaches will occur and focus on finding them quickly.
The company has an array of systems that monitor, collect and interpret indicators of compromise (IoC). A second useful source of information about breaches simply is maintaining good communications with related organizations, such as insurance companies, that have been hacked. St. Luke’s has nine hospitals, more than 200 clinics, and 14,000 employees in Idaho and Oregon.
The medical and financial industries have a higher level of difficulty when it comes to security. In health care, the stricter requirements are embodied in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Health Leaders Media takes a look at issue through the prism of cyber insurance. There are three types of insurances: liability coverage, business interruption coverage and regulatory fines and penalties coverage. The bottom line is that the explosion of connected devices – both diagnostic and those that help patients directly – is increasing the vulnerabilities.
The increasing use of the Internet for health care guarantees that crackers will sharpen their attacks as time goes on. Hopefully, the good guys will, as well.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at cweinsch@optonline.net and via twitter at @DailyMusicBrk.