• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

As Health IT Matures, Security Approaches Must Mature With It

by Irv Lichtenwald , CEO of Medsphere Systems Corporation 01/28/2016 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Infographic: History of Security Data Breaches in Healthcare

Irv Lichtenwald, Medsphere Systems CEO
Irv Lichtenwald, Medsphere Systems CEO

Not that long ago, healthcare worried mostly about the physical loss of personal health information (PHI) by way of a lost thumb drive, a stolen laptop, some misplaced paper files. These were the primary concerns in HIMSS initial security survey, published in 2008. It wasn’t until five years later, in 2013, that the largest healthcare security breaches came from cyberattacks instead of lost or stolen devices.

So, is it encouraging to see how far the rapid pace of change has carried health IT in just a few years? Well, yes and no. Growth is good, but it always presents a new set of challenges.

To be sure, healthcare has joined the rest of the wired world as a frequent target of technically skilled ne’er-do-wells. In 2014, cyber breaches in the form of systems hacking, credit card skimming and phishing (obtaining sensitive personal data by pretending to be someone trustworthy) totaled 29 percent of all security breaches. In 2015, that number rose to 38 percent.

Expect the trend to continue.

And expect it to get more complicated based on what’s happening in other industries. You may, for example, remember an interesting experiment last summer in which hackers demonstrated the susceptibility of a car’s onboard computer system by taking control of a Jeep going 70 miles per hour on a freeway outside St. Louis.

“Immediately my accelerator stopped working,” writes Andy Greenberg in a Wired magazine article on the car sabotage. “As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”

The hurtling SUV hijinks are just one example of the Internet of Things (IoT), the global network of tangible objects (a Jeep, for example) with embedded sensors, software and hackable Internet connections. Where cyber masterminds used to have to access a car’s diagnostic port to tap the computer, now they can do so wirelessly.

Of course, the commonality of sensors and software make most devices potentially hackable. So, what might hackers do if they can gain remote control of healthcare devices? The prospects are a bit chilling. Imagine where that Jeep might have gone with black-hat hackers at the keyboard.

“We may soon be looking at insertables—implants, pacemakers, insulin pumps—becoming targets of cyber-terrorists,” says Ponemon Institute Chairman and Founder Dr. Larry Ponemon in a Healthcare IT Newsarticle. “And this is not science fiction. It’s already been demonstrated.”

Nightmarish movie scenarios are unlikely, but hackers are already able to install ransomware on computers that holds data hostage until the owner pays a ransom to recapture control.

“It’s a bit like thieves sneaking into your home, and rather than carting away the TV, stuffing your jewelry and electronics into an impenetrable trunk,” explains Kaveh Waddell in The Atlantic. “Then they try to sell you the key.”

As Waddell reports, one hacker made $1 million in a single day off desperate computer users, and the FBI says some viruses are so good the easiest path is to just pay the ransom—usually in the $300 to $750 range.

“There is cause for concern,” according to a report by the Health Research Institute at PriceWaterhouseCoopers (PwC). “2015 saw the first-ever government warning that a medical device was vulnerable to hacking—an infusion pump officials warned could be modified to deliver a fatal dose of medication.”

Of course, hacks, ransomware, phishing scams and the like are not just happening in healthcare. Analysts estimate banking lost roughly $1 billion to cybercrime between late 2013 and early last year. Last summer, JP Morgan reported that hackers had accessed a database with information for 76 million households and 7 million small businesses.

As one might expect, these incidents are only a drop in the bucket. As a former executive with a financial portfolio management software firm, I know the assault on financial institutions is relentless, despite constant and detailed efforts to improve security. After all, as Willie Sutton reportedly said when asked why he robbed banks, “Because that’s where the money is.”

But what if hackers, en masse or gradually, were to figure out that hospitals were actually pretty lucrative and easier pickings? There’s not much reason to think that hasn’t happened already. Consider the Anthem breach last year and PwC analysis showing that 85 percent of large healthcare organizations experienced a breach in 2014 with 18 percent costing more than $1 million to fix.

Sutton’s logic applies to healthcare organizations, too. Hackers will go after the big ones because that’s where the money is, but there’s no reason to think it will end there. If a small hospital can be held hostage for $300 in ransom, why should we think they won’t be? After all, the urgency associated with unlocking an infusion pump will be greater than regaining access to vacation photos. More urgency equals more rapid payment, and more frequent hostage taking if security doesn’t improve.

While healthcare has not been a major hacking target for that long, the security recommendations and requirements that anticipated these scenarios have been around for a while in the form of regularly updated HIPAA regulations. These regulations require hospitals to establish a security framework – basic procedures like access control and user education. Unfortunately, they provide little in the way of specific strategies and tactics like regular penetration testing, clear reporting procedures, or how to perform periodic testing and training. Hospitals and health systems must make their own decisions to ensure that their overall environment is secure.

I have no doubt all healthcare enterprises believe they are doing their best to protect PHI and patient financial information. But there are still disconnects. Even the most security-aware technical staff is limited by budget restraints. Even the most focused administrator has a lot of moving parts to manage and fund. And HIPAA requirements leave some security preparation wiggle room based on the size and resources of the facility.

Ultimately, the security decision calculus must be driven by risk—by what a hospital or health system is vulnerable to—not what it can marshal the resources to defend against. And understanding risk has little reward if you don’t invest the time and money to mitigate it.  In our connected world, we pay for security or we pay for lack of security. There can be little doubt that the latter is more affordable—to say nothing of predictable—in the long run.

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Kinetik CEO Sufian Chowdhury on Fighting NEMT Fraud & Waste

Most-Read

Blue Cross Blue Shield of Massachusetts Launches "CloseKnit" Virtual-First Primary Care Option

Blue Cross Blue Shield of Massachusetts Launches “CloseKnit” Virtual-First Primary Care Option

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

'Cranky Index' Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

‘Cranky Index’ Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Chipiron Secures $17M to Transform MRI Access with Portable Scanner

Chipiron Secures $17M to Transform MRI Access with Portable Scanner

Abbott to Integrate FreeStyle Libre Glucose Data with Epic EHR

Abbott to Integrate FreeStyle Libre Glucose Data with Epic EHR

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |