In a warning to the industry, an FBI cybersecurity report has put healthcare providers on notice.  Details first circulated by Reuters state that the healthcare industry is a decade behind the financial services sector on the cyber security front.  At risk is a significant target comprised of the insurance data and personal medical records of millions of Americans. That analysis is based on the well-known tendency for hackers to go after the softest and highest valued targets possible.

Hackers trade all kinds of data on the black market.  Health data, commonly known in the industry as Personal Health Information (PHI), is particularly valuable in comparison to credit card information because of its longevity and deeply valued details.  While credit cards are quickly canceled or flagged, health data gives hackers details that allow them to access other valuable personal accounts.

Criminals also find health data takes longer for victims to discover they have been victimized.  ID fraud, medical fraud and employment fraud are but some of the potential outcomes of a successful healthcare data breach. Hackers are also known to be quite patient, often gathering this information over relatively long periods of time along with forged documents.  This results in tremendous added value to the gained information, enabling all sorts of fraudulent possibilities to the mix. Those facts should worry the public.

The FBI said in the notice:

“The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely”

Recipients of the notice were also told to report criminal and suspicious activities to their local FBI offices or the FBI’s 24/7 Cyber Watch.

The notice follows several prominent industry reports that peg the healthcare industry as vulnerable on a number of security fronts. For example, in February, SANS/Norse, an organization that trains people in cybersecurity released a report that produced some shocking findings:

Credit card transaction information was found running from things like embedded devices, dialysis machines and other health-related devices that most people would never even think needed any protection.

The list of things they found are pretty incredible, from a list of all edge and security devices for one healthcare organization (including all the admin usernames and passwords) to a full blueprint of an entire hospital complete with all the medical devices pointed out for the world to see.

What should be most alarming in light of this notice and series of reports is how regulated the healthcare industry is.  Unfortunately, there may be assumptions around regulation that would logically say security is high.  Explaining this healthcare security gap and that compliance is a false notion, a former Chief Information Security Officer from a major healthcare organization Eddie Mize stated in an interview:

“HIPAA and other regulations have become a roadmap to avoiding actual security.  What ends up happening is executives gain this false sense of confidence, which is totally undermined by actual threats. They end up thinking ‘We are compliant so we do not need to expend additional monies and effort of further security measures and awareness’.  It’s too common a pitfall.”

Pitting the healthcare industry as ten years behind is a rather broad brush stroke, and averages in a number of responsible organizations that have prioritized security in the face of growing industry challenges.  That being said, a decade is a rather large deficit to overcome anytime soon.  With any luck, continued reports and alerts will help the industry make decisions that prioritize capital towards better security altogether, piece by piece until the health industry is on par with others.

photo credit: Kris Krug via photopin cc