Since last summer, four major medical-themed hackings have been discovered somewhere in America, in addition to the seemingly endless stream of new retail and bureaucratic hackings reported every week or so – and finally, the healthcare industry is growing into the realization that if it's going to store confidential data on hackable networks, maybe it ought to make those networks less hackable, too.
Last August, a for-profit hospital network called Community Health Systems, which owns and operates 206 hospitals in 29 states, admitted that Chinese hackers had broken into their network and stolen data from more than 4.5 million patients.
The Chinese were also blamed for the three major health-insurance hackings discovered so far this year. In February, Anthem admitted that hackers had compromised the records of 80 million current and former Anthem customers dating back to 2004.
In March, Premera Blue Cross admitted to a breach compromising 11 million medical and financial records dating back to 2002. And in May, CareFirst Blue Cross/Blue Shield discovered a breach compromising up to 1.1 million customer records.
It's bad enough that last week, Larry Ponemon of the Ponemon Institute and Rick Kam of ID Experts wrote an op-ed going so far as to suggest that these “escalating cyberattacks threaten U.S. healthcare systems. … Imagine a hostile nation-state with your psychiatric records. Or an organized crime ring with your child’s medical file. Or a disgruntled employee with your medical insurance information.”
Indeed, if you're an American, there's a 1 in 3 chance your health records have already been hacked – and remember that Anthem, Premera and CareFirst almost certainly are not the only health-insurance providers to have been hacked, merely the only ones to have discovered and admitted this so far.
From a thieving hacker's perspective, stolen medical records are much more valuable than financial records. Jim Trainor, from the FBI's cyber security division, said this about the black-market value of various types of stolen data bought and sold by identity thieves: “Credit cards can be say five dollars or more, where [protected health information] records can go from 20 say up to — we've even seen $60 or $70.”
And from a victim's perspective, medical identity theft is probably the worst kind of all. In February, when the Medical Identity Fraud Alliance (MIFA) released its Fifth Annual Study on Medical Identity Theft, the study reached some sobering conclusions:In 2014, there were more than 2 million victims of medical identity theft in the United States, almost half a million more than in 2013.
What's worse is that, compared to other forms of identity theft, victims of medical identity theft are more likely to suffer personal financial consequences as a result.
Victims of credit card or similar forms of financial fraud are not expected to pay out of pocket to resolve the problem – but victims of medical identity theft often have to. MIFA's report said that 65% of medical identity theft victims paid more than $13,000 to fix it, including payments to legal counsel, healthcare or health insurance providers, and identity-protection services. That's in addition to the average of 200 hours of time the typical victim had to spend on the issue.
And today, Politico published a report explaining how the healthcare industry is finally starting to address such problems: “After spending billions to install computerized documents in hospitals and networks, it now must spend billions more to make them secure.”
The strange thing is that, despite the near-ubiquitousness of hacking stories in general, plus the growing knowledge that healthcare hacking in particular is especially threatening,
… many in health care [are] finding it difficult to believe they are targets.
One of [Chief Security Officer Jim] Nelms’ first efforts at [the] Mayo [Clinic] was to get 20,000 employees to switch to a dual recognition system, which uses frequently changing pass codes. He encountered disbelief at first. “A lot of the response was, ‘We live in a cornfield in the middle of Minnesota,’” he said. “’Who wants to hurt us? Who can even find us here?’”
(Answer: pretty much anybody with an Internet connection plus enough web savvy to type “Mayo Clinic” into a search engine.)
Medical records aren't the only things being connected to hackable networks; medical devices are, too.
There’s a growing awareness among hospital officials that the hundreds of devices they use — the crash carts, insulin pumps, heart monitors and other machines integral to daily care — are really computers connected to a network, and entirely hackable, said Anthony Coronado, biomedical engineering manager at Renovo Solutions in California.
The episode of Showtime’s “Homeland” TV drama in which a terrorist in a basement remotely turns off a senator’s pacemaker has never occurred, but “it’s only a matter of time before it does,” said James Carder of cyber firm LogRhythm.
Internet of things/thugs
To be fair, this security blind spot is hardly unique to the healthcare industry. After all, the constant stream of mass hackings hasn't slowed the expansion of the so-called “Internet of things.”
In January, the Federal Trade Commission issued a Captain Obvious warning reminding people that Internet-enabled thermostats, smoke alarms, home-security systems, baby monitors, cars and other things run the same security risks as anything with an Internet connection.
The following month, Senator Ed Markey of the Commerce, Science and Transportation Committee released a disturbing study showing that “Nearly 100 percent of [new] vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.” In other words: almost every new car is equipped with hackable systems.
Last October, security researchers discovered a flaw in mandatory smart electricity meters that would enable a hacker to “turn off the lights in a city or neighborhood.”
Although maybe none of this is surprising, once you remember that the Internet – formerly known as the “information superhighway” – was built specifically to make it easier for computers or computerized devices to share information, whereas computer or online “security” tries to do the exact opposite: keep information secret.
You can make it easier to share something, or you can make that something harder to steal – but using the same tool to do both at once hasn't been working too well.
There's a common cliché about belated security measures: “Locking the barn door after the horse is already stolen.” But for the insecure-Internet era, maybe the cliché needs a little updating: “Locking the barn door? Great idea, definitely worth adding to our 'to-do' list, but locking the door now would be really expensive and inconvenient.
Let's focus on replacing those stolen horses first. And while we're at it, why not keep even more of our valuables in the horse barn? Sure would be a shame to waste all that newly vacant stable space, after all.”