Global healthcare systems that often use electronic health records?(EHR)?to medical devices are more vulnerable to cyberattacks than many realize.
According to e-security firm Fortinet, the black market for patient data is?up to twenty times more valuable?than that for credit card data often stolen in retail breaches.
When a credit card is stolen, algorithms in the financial industry pick up unusual activity very quickly and systems often automatically provide protection. These same protections simply don?t yet exist in healthcare.
?
Fortinet said there are, in fact, three primary vectors of a healthcare cyberattack.
Traditional cyberattacks
These are the types of attacks that happen to all institutions, even if some are more likely to make headlines than others. Malware, phishing schemes, trojans, ransomware – they?re all out there, but the healthcare industry is particularly vulnerable because it lacks the built-in protections and underlying security mindset of other industries.
These types of malicious software, whether deployed through targeted attacks, compromised websites, spam, infected mobile devices, or otherwise, can not only expose sensitive data but create distracting and expensive IT headaches. A?2012 Ponemon Institute study?found that data breaches cost the average healthcare organization roughly $2.4 million over the previous two-year period.
?
These attacks aren?t terribly new, but their sophistication is and the ability to expose patient data is of real concern. Cybercriminals have developed entire malware platforms that can be customized to attack healthcare organizations.
Connected medical devices
In 2011, the?Association for the Advancement of Medical Instrumentation (AAMI) found that?the average hospital had 1.4 networked medical devices per bed, double the number just two years before.
Today, everything from heart monitors to IV pumps can be networked, automatically interfacing with EHR systems and providing real-time alerts to healthcare providers.
From the perspectives of patient care and operational efficiency, this is a good thing. From a security perspective, it?s a potential nightmare.
And it isn?t just patient data that?s vulnerable through connected devices. Cyberterrorists could potentially manipulate machines to intentionally harm patients or shut down critical systems in hospitals.
As early as 2011,?one researcher demonstrated?how an insulin pump could be hacked to deliver a lethal dose of insulin.
?
Personal and home health devices
Device proliferation isn?t just occurring in hospitals. An increasing numbers of home health devices, mobile apps, wearables, and more are collecting and transmitting personal health information.
Not only do these devices and apps potentially expose patient data (or at least fail to adequately protect it), but they also often interface directly with EHR and clinical data systems.
The healthcare industry as a whole needs to be proactive and begin deploying systems with security baked in, protected at both the network and application levels.
