Skip Links

Ransom, implant attack highlight need for healthcare security

Reports find real healthcare breach damage is not in the statistics

By Taylor Armerding, CSO
January 09, 2013 07:45 AM ET

CSO - All healthcare data breaches are not equal. 

They're all bad, and reaching epidemic levels. The security testing company Redspin, for one, found that Protected Health Information (PHI) breaches nearly doubled from 2010 to 2011. The Department of Health and Human Services has reported 525 breaches of 500 or more records, involving 21.4 individuals over the past three years, said Redspin president and CEO Daniel Berger.

12 security startups to watch

But the raw numbers are only a piece of the story. Gienna Shaw, editor of FierceHealthIT, wrote in a post this week: "It's not the numbers that interest me most. It's the stories behind them," she wrote. "And there are so many stories ..."

One involved the Surgeons of Lake County, a small medical practice in Libertyville, Ill. Hackers broke into the system last summer, gained access to the names, addresses, Social Security numbers, credit card numbers and some medical information on more than 7,000 patients, then encrypted all the information and demanded a ransom.

Another involved medical students creating fake identities so they could post patient information on Facebook and other social media sites. A third involved malware infecting hospital equipment.

Shaw said the Veterans Administration reported "173 incidents of security breaches of medical devices from 2009-11 that disrupted glucose monitors, canceled patient appointments and shut down sleep labs."

She also cited a 2012 report from the Government Accounting Office that said wireless implanted medical devices such as defibrillators and insulin pumps for people with diabetes were vulnerable to hacking.

No hacker with a laptop so far has delivered a fatal shock to a pacemaker patient. But just the possibility is "some serious freak-out level information," Shaw wrote.

Why, when other industries -- particularly the financial sector -- have been able to curb the frequency of damage from data breaches, have things in the healthcare industry gotten worse? Bill Ho, president of Biscom, called it partly a Willie Sutton syndrome, named for the bank robber who said he chose that profession because, "that's where the money is."

[See related: Healthcare security needs a booster shot]

"There is a lot of good information you can use [in health data]," Ho said. "[And] not just for money but for things like social engineering."

Redspin's Berger said records often include more than Social Security and credit card numbers. They also include, "personally sensitive information such as diagnoses, treatment plans, prescription information and complete medical histories," he said.

The advantage of electonic health records is clear, but carried risk. Adam Levin, founder of Credit.com and former director of the New Jersey Division of Consumer Affairs, wrote in a Huffington Post blog post: "To have current, accurate, and reliable data about a patient's medical history just a click away -- whether the issue is urgent or routine -- will save money, time, and, of greatest import, lives." But attacks to steal and sell peronal health data or hold it for ransom are also "ultimately made possible by the digitization of medical records and the placement of those records on networks -- often unprotected ones," Levin wrote.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News