When a consumer publication like The Washington Post — hardly an insider journal of computing — picks out your industry and slams it for having poor cybersecurity, you know something’s amiss.
The newspaper has just published a report, following a year-long cybersecurity investigation, arguing that healthcare is one of the most vulnerable industries in the U.S., making it a tasty target for terrorists, black-hat hackers and criminals.
It’s rather embarrassing, but it’s hard to argue with the Post’s conclusion that healthcare data security isn’t what it could be. A few data points:
* Researchers are finding that healthcare institutions routinely fail to fix known bugs in aging software, something other industries have largely overcome.
* Providers are making careless use of such public cybertools; the paper cites the example of the University of Chicago medical center, which at one point operated an unsecured Dropbox site for new residents managing care through their iPads (with a single user name and password published online, yet!)
* According to Post research, open source system OpenEMR “has scores of security flaws that make it easy prey for hackers”
* In perhaps the scariest example, the paper notes that clinicians routinely work around cybersecurity measures to get their job done.
Another factor contributing to cybersecurity holes is confusion about the FDA’s position on security. While the agency actually wants vendors to update FDA-approved device interfaces and systems, vendors often believe that the FDA bars them from updating device software, the Post found.
That leaves devices, especially defibrillators and insulin pumps, open to attacks. Researchers have been able to find these devices, linked to the web in the clear, simply by using a specialized search engine.
As wireless medical devices and smartphones, iPads and Android devices creep into the mix, cybersecurity vulnerabilities are likely to get worse, not better. I wonder whether we’ll need to see a cybersecurity disaster take place before the industry catches up to, say, financial services?