Technology has played a very pivotal role in our lives. Growth in technology is always synonymous with growth of humans directly. With all the advantages, there have been several downsides to this as well. Technology has allowed certain malicious users to exploit our over-dependency on it and take advantage of it. The more complex and advanced our technology has evolved, the more problems it has brought in front of us. Nowhere else has this been more evident than the healthcare industry.
Hospitals deal with Electronic Health Records (EHR) all the time. This includes patient’s demographic information, name, address, social security number (SSN), electronic prescriptions, dosages and insurance information. These are considered highly confidential information and should always be kept strictly within the hospital records. Lately, that has not been the case. Hospitals, in general, have security networks that are heavily outdated and poorly maintained. The older a technology, the easier it is for hackers to get into the systems. This makes the healthcare industry the most vulnerable when it comes to protecting their information. In the US, even though Health Insurance Portability and Accountability Act (HIPAA) laws being designed to protect patients against loss, theft or the disclosure of patients’ sensitive medical information, there remains a lot of healthcare entities that have not implemented basic safeguards like encrypting data or using a two-factor authentication process, which are risk management tactics that were recommended since 2006.
More than 80 percent spend less than 6 percent of their IT budgets on security, and more than 50 percent say that figure is less than 3 percent, which is alarming given the significantly higher percentages spent on security in other industries such as government (16 percent) and finance (between 12-15 percent)
HIMSS Analytics and Symantec – “Addressing Healthcare Cybersecurity Strategically.”
Why is EHR so important
You would think why a patient’s health information is so crucial and how can someone make any use out of it. While Personal Identifiable Information (PII) was leaked in other data breaches, EHR breaches are far worse. For example, date of birth, medical insurance ID, and a Social Security number can be combined to acquire medical insurance. Prescription for patients can be used to buy illegal drugs.
The price of a EHR is predicted to be around $500,000 USD.
In the above picture, medical insurance ID card was being stolen in a Dark Web site called Alphabay for $1 per card.
When the paper filing system in hospitals changed to electronic systems, security was an afterthought since there generally is a lack of understanding in the medical community to take the necessary steps to secure their network and hence it is not given a priority.
While a bank has more money stored, they also have quite a few security protocols in place and breaking through them can be tough. Money trails are also easy to track. Information, on the other hand, is a lot harder to track. Moreover, attackers who have gained access to the PHI of patients can hand it over to the highest buyer and slide back into their shadows once again while staying anonymous all this while.
How do attacker target the healthcare industry
- Ransomware
Ransomware is one of the biggest ways attackers are using to target healthcare institutions. A ransomware attacks locks the file system/computer system altogether and make you pay a ‘ransom’ to get the data back. Different ways that an attacker can get the virus into the hospital system by accessing the WiFi at the hospital which was set up without an encryption on it. I address how to protect yourself from ransomware in a previous post here.
2. Phishing
Phishing is another major method of how attackers target healthcare industry and even healthcare professionals. Attackers send you an email containing malicious virus which when opened installs the virus on your desktop. Once its in the system, viruses can travel via the network to infect the entire system.
3. Social Engineering
Hackers looking to exploit a healthcare network’s security system often target hospital staff and other human victims in order to gain access. This type of attack happens through social engineering as a means of subverting even the most rigorous security systems. Phishing attacks, the most common social engineering approach, use a manipulative email to trick a victim into clicking a link or entering their password information. These emails will often download malicious software directly to the system, granting the attacker unlimited access.
4. Distributed Denial of Service (DDoS)
These attacks create a coordinated assault from several hundred to several thousand computers, which overwhelm a network or server to the point of inoperability.
5. Legacy technology still being used
Many hospitals are still using legacy apps or old apps to preserve the data of their patients. However, using legacy applications give cybercriminals a significant opportunity to take advantage of the vulnerability of old operating systems and structures.
Hi, this is very usuful article in health care system. U have beautifully explained it. But I am waiting for ur next blog in which u will give us solution to the problem of hacking in electronic health system.
It is really eye opener for all health care providers.its true that most of us are not serious to protect patient data which can be hacked and misused.
Kindly also guide us to take measures to protect our data.
Very useful