Healthcare data at risk: Internet of Things facilitates healthcare data breaches

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Rodi­ka Tollef­son, Third­Cer­tain­ty

The assas­sin takes out the U.S. vice pres­i­dent by hack­ing into his pace­mak­er and stop­ping his heart in a way that looks like a nat­ur­al heart attack.

It hap­pened in Hol­ly­wood, on an episode of Showtime’s hit TV series Home­land. While this par­tic­u­lar sce­nario may be far fetched, there are oth­er plau­si­ble sit­u­a­tions that involve hack­ing med­ical devices for crim­i­nal pur­pos­es.

This is not the stuff of sci­ence fic­tion. It is a rapid­ly unfold­ing real­i­ty stem­ming from our head­long rush to embrace the Inter­net of Things, or IoT, secu­ri­ty and pri­va­cy experts say.

Info­graph­ic: The rip­ple effect of med­ical iden­ti­ty theft

IoT is the notion of tying util­i­ty meters and house­hold appliances—everything from the tele­phone and TV to the baby cam and the fridge — into the Inter­net. IoT doesn’t stop at the front door. It extends to wear­able tech­nol­o­gy, our trans­porta­tion sys­tem, shop­ping malls and hos­pi­tals and clin­ics.

Con­nect­ing sen­sors and the data they col­lect allows us to mon­i­tor and con­trol devices remote­ly, cus­tomized for indi­vid­u­als habits and pref­er­ences. , in addi­tion to allow­ing devices to work in uni­son which strength­ens their val­ue.

In the health­care field, IoT con­jures the poten­tial for a gold­en era of med­i­cine. Imag­ine con­vey­ing diag­noses and con­sul­ta­tions in real time and inte­grat­ing ther­a­pies swift­ly into med­ical devices and health-relat­ed apps.

But as Hol­ly­wood reminds us, IoT also intro­duces fer­tile ground for spies, assas­sins and ter­ror­ists, not to men­tion ordi­nary prof­it-moti­vat­ed crim­i­nals.

Eas­i­ly breached devices

Lar­ry Ponemon, founder and chair­man of research firm Ponemon Insti­tute, isn’t a scriptwriter. Yet he says he can eas­i­ly envi­sion a sce­nario where a nation-state spon­sored group access­es health­care devices and records to, for exam­ple, change a populace’s blood types en masse.

It would be a way to real­ly dam­age a coun­try and cre­ate max­i­mum dis­rup­tion to the econ­o­my,” Ponemon says.

Indeed, insulin pumps, MRI machines and oth­er med­ical sys­tems tied into the IoT cre­ate many more hack­able access points. And those devices, in turn, mesh into net­works gov­ern­ing admis­sions, lab test­ing and patient billing, all known to be eas­i­ly breached

Last spring, Norse and think tank The SANS Insti­tute released a study show­ing how some 375 U.S. health­care orga­ni­za­tions were active­ly com­pro­mised in a peri­od from Sep­tem­ber 2012 to Octo­ber 2013.

The attack­ers infil­trat­ed inter­net-con­nect­ed radi­ol­o­gy imag­ing soft­ware, con­fer­enc­ing sys­tems, print­ers, fire­walls, Web cam­eras and mail servers to access patient files and oth­er infor­ma­tion.

Norse has devised inno­v­a­tive tech­nol­o­gy for mon­i­tor­ing such cyber­at­tacks in real time. A tiny sam­pling of its data, revealed 724 infect­ed appli­ances active­ly car­ry­ing out fraud­u­lent tasks.

This expo­sure exists because many of the embed­ded com­put­er oper­at­ing sys­tems used in med­ical set­tings were deployed with lit­tle thought put into secu­ri­ty, says Kurt Stamm­berg­er, senior vice pres­i­dent of mar­ket­ing at Norse.

The sheer vari­ety of embed­ded devices is one fac­tor,” Stamm­berg­er notes. “Anoth­er obsta­cle is that these devices were designed with no way to push out a secu­ri­ty update or patch.”

Mak­ing inroads

Even if the embed­ded sys­tems that run med­ical devices could be eas­i­ly patched, the Health­care Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act (HIPAA) impos­es cer­ti­fi­ca­tion rules that make patch­ing a time con­sum­ing, cost­ly exer­cise, Stamm­berg­er adds.

Hos­pi­tal admin­is­tra­tors are aware of the expo­sure. In Ponemon Institute’s most recent study on patient pri­va­cy and data secu­ri­ty, respond­ing med­ical orga­ni­za­tions indi­cat­ed employ­ee neg­li­gence was their biggest wor­ry (at 75 per­cent), fol­lowed by the use of pub­lic cloud (41 per­cent), mobile device secu­ri­ty (40 per­cent) and cyber­at­tacks (39 per­cent).

All of that said, Ponemon says he is see­ing inroads in the indus­try, with health­care orga­ni­za­tions pay­ing more atten­tion to iden­ti­ty theft and expand­ing the roles of IT man­agers.

But the med­ical field still has a long way to go. Secu­ri­ty improve­ments sim­ply are not keep­ing up with the threats.

More major hacks, like the high-pro­file breach at Com­mu­ni­ty Health Sys­tems dis­closed this past sum­mer are in the cards, secu­ri­ty and pri­va­cy experts say. CHS, the par­ent com­pa­ny of 206 hos­pi­tals in 29 states, lost Social Secu­ri­ty num­bers and oth­er per­son­al data for 4.5 mil­lion patients in a sophis­ti­cat­ed attack that has been linked to the Chi­nese gov­ern­ment.

The finan­cial world has had one to two decades to get good actors,” says Ann Pat­ter­son, senior vice pres­i­dent and pro­gram direc­tor for Med­ical Iden­ti­ty Fraud Alliance (MIFA). “The health­care sec­tor is 10 to 15 years behind in terms of being able to man­age all the elec­tron­ic data and being all net­worked.”

Health­care data at risk — a three-part series:
Part 1, Jan. 5: Why med­ical records are easy to hack, lucra­tive to sell

Part 2, Jan. 7, How thieves and scam­mers are cash­ing in.
Guest essay: Why hos­pi­tals need to go beyond HIPAA com­pli­ance to secure data

More on this top­ic
Walgreen’s $1.4 mil­lion set­tle­ments high­lights med­ical records pri­va­cy
Case study: Iden­ti­ty thief may be some­one you know
Shodan search engine expos­es built-in vul­ner­a­bil­i­ties

 


Posted in Cybersecurity, Data Breach, News & Analysis