Healthcare data at risk: Internet of Things facilitates healthcare data breaches
By Rodika Tollefson, ThirdCertainty
The assassin takes out the U.S. vice president by hacking into his pacemaker and stopping his heart in a way that looks like a natural heart attack.
It happened in Hollywood, on an episode of Showtime’s hit TV series Homeland. While this particular scenario may be far fetched, there are other plausible situations that involve hacking medical devices for criminal purposes.
This is not the stuff of science fiction. It is a rapidly unfolding reality stemming from our headlong rush to embrace the Internet of Things, or IoT, security and privacy experts say.
Infographic: The ripple effect of medical identity theft
IoT is the notion of tying utility meters and household appliances—everything from the telephone and TV to the baby cam and the fridge — into the Internet. IoT doesn’t stop at the front door. It extends to wearable technology, our transportation system, shopping malls and hospitals and clinics.
Connecting sensors and the data they collect allows us to monitor and control devices remotely, customized for individuals habits and preferences. , in addition to allowing devices to work in unison which strengthens their value.
In the healthcare field, IoT conjures the potential for a golden era of medicine. Imagine conveying diagnoses and consultations in real time and integrating therapies swiftly into medical devices and health-related apps.
But as Hollywood reminds us, IoT also introduces fertile ground for spies, assassins and terrorists, not to mention ordinary profit-motivated criminals.
Easily breached devices
Larry Ponemon, founder and chairman of research firm Ponemon Institute, isn’t a scriptwriter. Yet he says he can easily envision a scenario where a nation-state sponsored group accesses healthcare devices and records to, for example, change a populace’s blood types en masse.
“It would be a way to really damage a country and create maximum disruption to the economy,” Ponemon says.
Indeed, insulin pumps, MRI machines and other medical systems tied into the IoT create many more hackable access points. And those devices, in turn, mesh into networks governing admissions, lab testing and patient billing, all known to be easily breached
Last spring, Norse and think tank The SANS Institute released a study showing how some 375 U.S. healthcare organizations were actively compromised in a period from September 2012 to October 2013.
The attackers infiltrated internet-connected radiology imaging software, conferencing systems, printers, firewalls, Web cameras and mail servers to access patient files and other information.
Norse has devised innovative technology for monitoring such cyberattacks in real time. A tiny sampling of its data, revealed 724 infected appliances actively carrying out fraudulent tasks.
This exposure exists because many of the embedded computer operating systems used in medical settings were deployed with little thought put into security, says Kurt Stammberger, senior vice president of marketing at Norse.
“The sheer variety of embedded devices is one factor,” Stammberger notes. “Another obstacle is that these devices were designed with no way to push out a security update or patch.”
Even if the embedded systems that run medical devices could be easily patched, the Healthcare Insurance Portability and Accountability Act (HIPAA) imposes certification rules that make patching a time consuming, costly exercise, Stammberger adds.
Hospital administrators are aware of the exposure. In Ponemon Institute’s most recent study on patient privacy and data security, responding medical organizations indicated employee negligence was their biggest worry (at 75 percent), followed by the use of public cloud (41 percent), mobile device security (40 percent) and cyberattacks (39 percent).
All of that said, Ponemon says he is seeing inroads in the industry, with healthcare organizations paying more attention to identity theft and expanding the roles of IT managers.
But the medical field still has a long way to go. Security improvements simply are not keeping up with the threats.
More major hacks, like the high-profile breach at Community Health Systems disclosed this past summer are in the cards, security and privacy experts say. CHS, the parent company of 206 hospitals in 29 states, lost Social Security numbers and other personal data for 4.5 million patients in a sophisticated attack that has been linked to the Chinese government.
“The financial world has had one to two decades to get good actors,” says Ann Patterson, senior vice president and program director for Medical Identity Fraud Alliance (MIFA). “The healthcare sector is 10 to 15 years behind in terms of being able to manage all the electronic data and being all networked.”
Healthcare data at risk — a three-part series:
Part 1, Jan. 5: Why medical records are easy to hack, lucrative to sell
Part 2, Jan. 7, How thieves and scammers are cashing in.
Guest essay: Why hospitals need to go beyond HIPAA compliance to secure data
Walgreen’s $1.4 million settlements highlights medical records privacy
Case study: Identity thief may be someone you know
Shodan search engine exposes built-in vulnerabilities