Healthcare Faces Massive Cybersecurity Risks

When a consumer publication like The Washington Post — hardly an insider journal of computing — picks out your industry and slams it for having poor cybersecurity, you know something’s amiss.

The newspaper has just published a report, following a year-long cybersecurity investigation, arguing that healthcare is one of the most vulnerable industries in the U.S., making it a tasty target for terrorists, black-hat hackers and criminals.

It’s rather embarrassing, but it’s hard to argue with the Post’s conclusion that healthcare data security isn’t what it could be. A few data points:

* Researchers are finding that healthcare institutions routinely fail to fix known bugs in aging software, something other industries have largely overcome.

* Providers are making careless use of such public cybertools;  the paper cites the example of the University of Chicago medical center, which at one point operated an unsecured Dropbox site for new residents managing care through their iPads (with a single user name and password published online, yet!)

* According to Post research, open source system OpenEMR “has scores of security flaws that make it easy prey for hackers”

* In perhaps the scariest example, the paper notes that clinicians routinely work around cybersecurity measures to get their job done.

Another factor contributing to cybersecurity holes is confusion about the FDA’s position on security. While the agency actually wants vendors to update FDA-approved device interfaces and systems, vendors often believe that the FDA bars them from updating device software, the Post found.

That leaves devices, especially defibrillators and insulin pumps, open to attacks. Researchers have been able to find these devices, linked to the web in the clear, simply by using a specialized search engine.

As wireless medical devices and smartphones, iPads and Android devices creep into the mix, cybersecurity vulnerabilities are likely to get worse, not better.  I wonder whether we’ll need to see a cybersecurity disaster take place before the industry catches up to, say, financial services?

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

5 Comments

  • Katherine,

    Thanks for posting this. It’s a well done article and exception to the often superficial articles in the general press. Distinctively, the writer looked beyond EMRs or at known lapses, but categorized several problem types with examples and added where the FDA, etc., stands.

    What has prevented the poor state of security from being even worse has been the attitude that medical information had little pecuniary value. As other sectors close their doors to exploitation, medical IT systems’ vulnerability will appear more inviting. Along with usability and interoperability, product vendors, system administrators, etc., need to play catch up on security or face regulatory and user rebellion.

  • Seems like the statement “OpenEMR has scores of security flaws” is simple sensationalism.
    Points: OpenEMR is an open source project, not a “product” that comes out of a box. You get the code, then install it how you wish. If you install it without https, fail to configure it properly (turn off any development modes) and fail to delete install files….AND give the “hacker” a login and password, then it is very easy indeed to find places where sql injection (for instance) may be used. At that point, you would not need to use sql injection or any other trick anyway. This was not explained in the article for the obvious reasons, I am sure.

    Any time a security issue is published (even for an authorized user), openEMR developers respond. It certainly is not the poster child for security issues. Not very nice to name names, then not post any specifics.
    I think he used it as an example simply because it is popular, and he could get the code, and he needed a name to use. The fact that the “security flaws” amount to a strawman argument don’t matter as much as the fact that as an open-source project, he will not expose himself to legal action.
    Among the OpenEMR community, security is NOT an ignored issue. It is foremost in everyone’s minds. Furthermore, promoting a tool such as OpenEMR helps prevent medical professionals from using ad hoc record systems like the use of public account FTP (Dropbox etc..), webmail and other inefficient, insecure, and ineffective methods of documentation and communication. The problem is not EMR’s as much as lack of very basic IT and computing skills in medical offices. Ancient (and new) commercial “blackbox” subscription software and such are not the fix either. Every provider in the US (correction…the World) should be able to have a record system that does it’s job efficiently and securely, know how to use it, and be able to use it to communicate data to other providers effectively. This applies to the 90210 cosmetic surgeons that everyone worries about, all the way to free clinics and mental health counselors making 28K a year working with foster children. That means a free system available to everyone. Everyone.

    All other issues of addressing security and all that blah-blah are absolutely meaningless compared to the need to simply bring the benefits of the information age to the providers of this basic human need. Get to that point, THEN you can talk about stuff at this level. This article in the Post has really brought home to me just how limited of an outlook; a failure to see the big picture… most folks have.

    Final answer: Medical professionals need re-training to give them some basic skills in IT (IT meaning “data handling” not becoming a code monkey or hardware guru). They also need real training from NON-COMMERCIAL sources that explain to them what HIPAA, HITEC, the CFR’s and their state statutes really say. I rarely find one that knows what the CFR’s are, or has ever really read any documentation for themselves. They have Myths and Legends about HIPAA, and use it as a flag to wave ahead with using fax machines, wet ink signatures and all sorts of other fodelerol, then they use their gmail or Yahoo account and dropbox…never considering that without a Business Partner Agreement with Google, they have just had a HIPAA violation and a disclosure.

  • Health IT lags behind the rest of the IT world – that’s hardly breaking news. One symptom of that general lag is highlighted by the WaPo article – a rush to implement new technologies or, worse, to jerry-rig legacy technologies for the internet-enabled world, can create information security risks. But let’s not make the mistake of assuming that “Health IT” describes a homogeneous set of vendors and technologies. Like anything else, security can be done poorly or it can be done well. Legacy systems tend to do it poorly, as noted above: “Researchers are finding that healthcare institutions routinely fail to fix known bugs in aging software, something other industries have largely overcome.” One way that problem is “overcome” in other industries is by not continuing to use “aging software” long past the point of obsolescence – an all-too-common phenomenon in the healthcare IT world.
    The important thing is to get more providers using systems that do security – and everything else – well. Setting our expectations and then our standards appropriately (meaning: in the 21st century!) will be a big step.

Click here to post a comment
   

Categories