A Washington Post news report in August this year came as a shock to many Americans who believed, until then, that their medical records were for their eyes only. Chinese hackers stole data pertaining to a whopping 4.5 million patients from a company that runs over 200 hospitals spread across the US. The massive data breach raised some serious concerns about how private medical records are and exactly what various health care organizations are doing to keep this sensitive information completely confidential like it ought to be.
In fact, the first question in the mind of every patient who has ever paid a visit to their physician is: Is my hospital doing anything at all to safeguard my privacy? The shocking answer is that your health care provider may think they have effective security to protect sensitive health information, but chances are that there are any number of loopholes in the system that make it highly vulnerable to outsiders.
Why Hack Medical Records?
Another question that arises is: how are medical records valuable to hackers? How can they be used? The fact is that medical records also come complete with a whole lot of critical personal information that can be misused by hackers in a variety of ways. For example, in the Community Health System hack that is suspected to have originated in China, the hackers made away with names, birth dates, addresses, phone numbers and most importantly, social security numbers.
Apart from this data, medical records, especially billing records may also contain highly sensitive information like credit card details or bank account details that can be used by the hacker to skim the patient’s account. Although the Community Health Systems hack did not expose this kind of financial information, there is no guarantee that the next security breach will not include these as well. There is no doubt that effective preventive steps need to be taken immediately to address this weakness.
Implementation of a standardized code of best practices is an excellent first step that can integrate security with the medical care provider’s systems so that the patient’s information is protected right from the time his data is entered into the system. One in ten Americans has experienced a medical data breach, according to a Advisory.com report.
Hospital Equipment is Highly Vulnerable to Hackers
The problem does not just concern data breaches and possible misuse of such sensitive data by unscrupulous persons. It encompasses security lapses that have the potential to create life threatening situations. A recent wired.com report highlighted how medical equipment gets scant attention when it comes to security problems. After a review of the existing systems at a chain of Midwest health care facilities, researcher Scott Erven who heads the information security division at Essentia Health, made some truly shocking discoveries.
Erven found that the hospital’s systems are vulnerable in most cases because they leak critical data to the internet. This could include information about all the computers and devices that are part of the hospital’s network. Access to this kind of information allows hackers to carry out focused attacks on specific machines/ segments of the hospital. By infecting just one single equipment connected to the network, hackers can gain access to all of the others as well as medical data stored on the hospital’s servers easily. Apart from gaining access to critical and sensitive information, the hacker can also directly control settings of various life supporting equipment such as embedded pacemakers.
Preventing Hacks for Safeguarding Patients
The need for strong security measures is very evident and it is equally clear that action needs to be taken right away. Some of the best practices to adopt to improve security and limit damage during breaches are:
Educating the hospital’s top management about the impact of poor security and its consequences on patient retention will help. The education should include creating awareness about using strong passwords at all entry points to make it difficult for outsiders to simply get access by guessing the right combination of words/ letters/ characters.
Assessment of hospital’s firewalls and security measures as well as review of security levels of third party networks to which the hospital’s network is connected.
Making equipment on the network difficult to identify so that hackers cannot quickly hone in on highly vulnerable machines/ equipment to cause a disruptive attack.
Establishing a security breach response team that can quickly act when a breach is detected so that the damage can be minimized.
Several such best practices have been outlined by Erven and his team to keep medical data and hospital networks safe from unauthorized access. It remains to be seen how seriously hospitals take this serious issue and how speedily they act upon Erven’s dramatic findings.