As hackers look to broaden their horizons and see what else can be stolen and turned into illegal profits, experts are warning that the healthcare industry could be in their sights. According to a lengthy article published in The Washington Post, the widespread use of electronic health records, connected devices and other medical tools and apps has left the industry ripe for the picking.
“I have never seen an industry with more gaping security holes,” said Avi Rubin of the Information Security Institute.
“If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”
The Washington Post documents numerous cases of the stunning lack of cybersecurity in the healthcare industry. In one example, University of Chicago Medical Center residents found that they could access the records of thousands of patients that had been stored in a shared Dropbox folder. Meanwhile, the open-source medical record platform OpenEMR was described as having numerous flaws in its security that could easily be circumvented by hackers. According to the post, many of the weaknesses was so basic that it likened them to “security 101”.
Admittedly, medical data probably isn’t going to be as profitable for hackers as something like the Bank of America’s entire database of user accounts would be, but the wealth of personal information available could well be very useful to carry out fraud and identity theft. And there are other risks too – for example, one researcher told the Post how he managed to hack into a secure drug dispenser via a web browser, gaining control over it and dispensing as many drugs as he wished.
One of the biggest problems is that security guidelines are in dire need of an overhaul. According to the report, the last time the government updated its computer security guidelines for the health industry was in 2005, and so it hardly comes as a surprise that many hospitals and facilities are failing to keep up with best practices.
Perhaps even more worrying than the numerous vulnerabilities exposed by the investigation, is the evidence that hackers are already beginning to exploit the healthcare industry. The Department of Veterans Affairs reported that almost 200 medical devices were infected by malware over the last two years, while this year it was reported that cybercriminals managed to hack into a server used to store Medicaid data and steal the records of 24,000 Utah patients.