Cyber Criminals are Hitting Us Where it Hurts; A New Report Shows that Healthcare Organizations May Not Even Know the Danger Exists

February 27, 2014

The medical industry has come under siege by hackers.  Recent reports have shown that healthcare organizations are being attacked at a high rate, with roughly three hundred and seventy-five attacks occurring within one year.  Several reasons have been postulated for the amount and severity of these attacks, which may have serious repercussions for patients and their families.
The attacks have led to breaches which expose patient data and compromise the integrity of medical equipment and tend to target healthcare providers most often, but also insurers and pharmaceutical companies.  The theft of patient data often includes sensitive information such as social security numbers and addresses.  Interference with medical equipment can be even more sinister—causing hackers to obtain control of machines used for patients in critical care.

Recent reports have shown that healthcare organizations are being attacked at a high rate, with roughly three hundred and seventy-five attacks occurring within one year.

Researchers and healthcare leaders are looking for the root of this problem, and limited hospital data security appears a good place to lay blame.  Many hospitals do not have upper-level information security personnel; most also spend very small percentages of their Information Technology budgets on security.  As more healthcare organizations move toward storing their patients’ information on the Internet increased security must be utilized, and many organizations have admitted to using “openly exploitable [security options] (such as default admin passwords)” as the only line of security for their patent information.  Cyber criminals are readily exploiting these gaps in security.
To add to the complications, “[f]or many organizations governed by stringent regulations such as the Healthcare Insurance Portability and Accountability Act (HIPAA), compromises and breaches lead to massive fines.”  Healthcare organizations who have suffered a breach of security are likely to be liable for damages to the patients whose information is leaked.  WellPoint, an insurer, paid nearly two million dollars in damages for leaked information in 2013, which WellPoint admitted was a mere “fraction” of the total costs incurred by the breach, including other costs for new investments.  And the costs may be compounded when one factors in the fact that many healthcare organizations do not become aware of the security breach right away, if ever.  Organizations were asked about their experience with cyber security breaches, and their responses indicated that “[m]any of the organizations took months to detect their compromised positions or never did.”
Even if compensation is paid to patients harmed by cyber attacks, the attacks are still likely to cost patients money in the long term.  If healthcare organizations are forced to pay large settlement costs, those costs will be passed on to their consumers—meaning higher cost of healthcare. “While most consumers are shielded against ecommerce-related theft and fraud expenses, they are responsible for costs related to compromised medical insurance records and files – costs that reached $12 billion in 2013.”
The healthcare industry is alarmingly far behind in some aspects of information security.  This has led to a strikingly high number of cyber stacks which have left the private information and even the safety of patients and clients in question, and which without effective measure may have larger and more chronic economic effects.  Fortunately awareness of the issue is increasing, and the hope is that healthcare organizations will heed the warning.  “Until they do that, the industry is going to struggle.”