"Extremely hackable" health care system
The hackability of American health care won't surprise anyone who's paid attention. Consider this partial sampling of hacks dating back only to summer 2014: that August, the for-profit hospital network Community Health Systems admitted that Chinese hackers had breached their network and stolen confidential data on more than 4.5 million patients. The following February, the Anthem health-insurance network admitted that hackers had stolen up to 80 million medical records dating back to 2004.
In March, Premera Blue Cross admitted to a breach compromising 11 million medical and financial records dating back to 2002. CareFirst Blue Cross/Blue Shield admitted to a hacking in May: “only” 1.1 million records were compromised that time. In mid-July, the UCLA Health System admitted that 4.5 million patient records were at risk from a hacking UCLA had discovered two months earlier.
In May – around the same time that the UCLA hacking occurred, though two months before any affected patients were notified of it, Larry Ponemon, of the Ponemon Institute, and Rick Kam, of ID Experts, co-wrote an article for the Dark Reading security blog suggesting outright that “escalating cyberattacks threaten U.S. healthcare systems …. Imagine a hostile nation-state with your psychiatric records. Or an organized crime ring with your child’s medical file. Or a disgruntled employee with your medical insurance information.”
And stealing medical or financial records isn't the worst thing hackers might do to hospital patients, either. Early last month, the Food and Drug Administration issued an alert advising hospitals and medical centers to stop using a certain model of wireless-connected intravenous pump because hackers could exploit a security vulnerability to remotely seize control of a patient's IV; it would allow hackers to make potentially fatal alterations to the amount or type of drugs administered.
Matter of national security
Such anecdotes arguably painted a bleak-enough picture of American medical cybersecurity, even before KPMG released its report with that dismal 81-percent statistic.
Greg Bell, KPMG's Cyber US Leader, said “These are all incidents where they have determined they lost data. This wasn't just a malware or a virus infection – it actually went to exfiltration.”
To produce the report, which is available as a .pdf file here, KPMG analyzed a survey of 223 senior security or technology executives from health care organizations with more than $500 million in annual revenues. “Apart from typical financial fraud, there is also the possibility of medical insurance fraud, or, in the case of providers, attacks on computer-controlled medical devices. As this is the largest part of the U.S. economy and a safeguard of peoples’ well-being, healthcare is a matter of national security,” KPMG explained in the report's executive summary.
Yet despite such high stakes, “the healthcare sector lags in terms of its preparedness for cyber threats.… In terms of technical capabilities, the healthcare industry is behind other industries in protecting its infrastructure and electronic protected health information.”
And even that 81-percent statistic might be understating the threat. KPMG's Michael Ebert suspects that many healthcare and health insurance organizations might actually be understating or underreporting various cybersecurity threats – not through deliberate dishonesty, but because they genuinely don't know the truth. “They are probably compromised and don’t even know it,” Ebert said.
Indeed, among the healthcare executives KPMG interviewed, 25% said that “based on their organization’s current protection systems, they don’t have or don’t know their capabilities, in real time, to detect if their organization’s systems are being compromised.” (And a cynic might suggest the other 75% suffer from overconfidence.)