Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

Why hospitals should be scared of cyberattacks

Joe Flower
Tech
February 18, 2014
239 Shares
Share
Tweet
Share

If you are a CEO or COO of a health care organization, and your IT people have been trying to get your attention, it’s time to have a serious sit-down with them.

If they haven’t been trying to get your attention, it’s time to have an more serious sit-down with them, complete with charts and graphs and arrows on fip charts.

Here’s why.

Remember in November it was revealed that the Target retail chain’s computer systems were compromised? Some 70 million names, home addresses and phone numbers were stolen (pretty good raw material for identity theft) and 40 million credit card numbers.

It has turned out since then that some two dozen other companies, including Neiman Marcus, the Michael’s arts-and-crafts chain and the White Lodging Services hotel management firm, have been hacked in similar ways, with the attackers software sitting in the companies’ servers, credit card machines and cash registers often for months before they were detected, sucking down every transaction, every bit of data moved about.

Hey wait, you say, I have every confidence in our computer security. Why we passed a security audit just recently.

Heh. So did Target — just before they discovered the break-in. They got a clean bill of health, and the auditors failed to find the malware installed on every server, every credit card terminal, every cash register.

Why? Because the attackers have gotten way more sophisticated, and they used new techniques and methods of entry. You can now buy ready-made hacking software designed to do this on the Internet for less than $1000.

Here’s the kicker.

Target has security guards at the doors, it has those beeper tags on small high-value items so you can’t sneak them out without paying for them, it has burglar alarms — but the perps in the biggest heist in the company’s history entered through the thermostat.

Got that? The thermostat.

Big-box stores have pretty sophisticated HVAC. Hospitals have much more sophisticated HVAC systems. Big-box stores typically outsource the management of such systems to outside firms. Most hospitals do the same. The outside contractor monitors and controls the HVAC over the Internet.

All the sensors, thermostats, switches, control valves and such report to software on the store’s servers. To allow this, the outside contractor is given password-controlled access to the store’s computer system.

How many of your systems, such as HVAC, water/sewage, security, and so on, are connected to the Internet, so that they can be remotely monitored? If you’re doing it right, there are a lot of them, and many are outsourced. Think about that, then read these two paragraphs from a New York Times article the other day:

Remote access to these systems is really common and integrators are almost always on the corporate network,” said Billy Rios, director of threat intelligence at Qualys, a cloud security firm. Mr. Rios said that the security at such companies tended to be poor and that vendors often used the same password across multiple customers.

Over the last two years, Mr. Rios and Terry McCorkle, also of Qualys, said that they found 55,000 HVAC systems connected to the Internet. In most cases, they said, the systems contained basic security flaws that would allow hackers a way into companies’ corporate networks, or the companies installing and monitoring these systems reused the same remote access passwords across multiple clients.

If that didn’t make your blood feel like it’s been run through a chiller, it ought to. How certain are you that your patient and payment information is separated by an impenetrable wall from your plant-monitoring information? What about your system makes it invulnerable to this style of attack? How is the data in your system encrypted against anyone who might penetrate the firewall?

Hey wait, you say, we’re not a high-value target. We don’t have millions of credit card numbers. And why would anyone want to steal millions of health plan account numbers? Or even millions of medical histories?

Maybe you’re right. But think about this: We are in the middle of a massive move not only to computerize the entire patient experience, but to pull together all the different pieces into comprehensive records that include enormous amounts of personal information, from address and credit card information to sexual health, addiction and other embarrassing private stuff.

Keep in mind that the ACA and other recent changes will greatly ramp up the amount of substance abuse and other behavioral health issues that are covered as part of the mainstream record.

Now picture a black hat advertising on hacking forums: “We can get you the medical records of anyone — any celebrity, wealthy person, or blackmail target.” And they can say that because they have penetrated the nets of information that flow between hospitals and payers, as well as the internal systems of hospitals and clinics.

But it’s even more important than that. Health systems, clinics, and hospitals depend on their customers having a feeling of trust and safety in bringing their problems and medical details to you. If people feel that you’re a sieve, they will take their problems elsewhere. You seriously do not want your institution named in a headline about a data breach.

So CEOs, COOs: Time for a good long detailed talk with your IT people.

Joe Flower is a healthcare speaker, writer, and consultant who blogs at Healthcare Futurist: Joe Flower. 

Prev

Will resident autonomy disappear completely in the future?

February 18, 2014 Kevin 3
…
Next

Obamacare supporters shouldn't cast a blind eye to its faults

February 19, 2014 Kevin 10
…

Tagged as: Health IT, Hospital-Based Medicine

Post navigation

< Previous Post
Will resident autonomy disappear completely in the future?
Next Post >
Obamacare supporters shouldn't cast a blind eye to its faults

More by Joe Flower

  • a desk with keyboard and ipad with the kevinmd logo

    Health care at half the cost: What will that actually look like?

    Joe Flower
  • a desk with keyboard and ipad with the kevinmd logo

    When will technology actually transform health care?

    Joe Flower
  • a desk with keyboard and ipad with the kevinmd logo

    Many will not survive the millions of new Medicaid recipients

    Joe Flower

More in Tech

  • AI is living up to its promise as a tool for radiology

    Hoag Memorial Hospital Presbyterian
  • I’m tired of being a distracted doctor

    Shiv Rao, MD
  • AI-driven diagnostics and beyond

    Michael Kirsch, MD
  • The need for adaptability is imperative in the era of artificial intelligence

    Harvey Castro, MD, MBA
  • Harnessing the power of gamification in mental health apps

    Carter Do and Thomas Pak, MD, PhD
  • Leveraging ChatGPT’s high IQ to assist doctors

    Harvey Castro, MD, MBA
  • Most Popular

  • Past Week

    • Reigniting after burnout: 3 physician stories

      Kim Downey, PT | Physician
    • I’m tired of being a distracted doctor

      Shiv Rao, MD | Tech
    • Inside the grueling life of a surgery intern

      Randall S. Fong, MD | Physician
    • The erosion of patient care

      Laura de la Torre, MD | Physician
    • Transforming primary care for physician well-being [PODCAST]

      The Podcast by KevinMD | Podcast
    • Family support is pivotal in the treatment of schizophrenia

      Frank Chen, MD | Conditions
  • Past 6 Months

    • Medical gaslighting: a growing challenge in today’s medical landscape

      Tami Burdick | Conditions
    • I want to be a doctor who can provide care for women: What states must I rule out for my medical education?

      Nandini Erodula | Education
    • Balancing opioid medication in chronic pain

      L. Joseph Parker, MD | Conditions
    • Reigniting after burnout: 3 physician stories

      Kim Downey, PT | Physician
    • I’m a doctor, and I almost died during childbirth

      Bayo Curry-Winchell, MD | Physician
    • Mourning the silent epidemic: the physician suicide crisis and suggestions for change

      Amna Shabbir, MD | Physician
  • Recent Posts

    • Transforming primary care for physician well-being [PODCAST]

      The Podcast by KevinMD | Podcast
    • COVID-19 unleashed an ongoing crisis of delirium in hospitals

      Christina Reppas-Rindlisbacher, MD, Nathan Stall, MD, and Paula Rochon, MD | Conditions
    • Doctors and disability insurance: Protecting your income

      Amarish Dave, DO | Finance
    • Emergency care nightmare: the urgent need for experienced nurses

      Rachel Basham, RN, CCRN | Conditions
    • Physicians have no autonomy. Here’s how to change that.

      Diane W. Shannon, MD, MPH | Physician
    • Understanding intersex health care [PODCAST]

      The Podcast by KevinMD | Podcast

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

Leave a Comment

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

CME Spotlights

From MedPage Today

Latest News

  • Report: Persistence of Gender Inequalities in Cancer Care, and a Call to Action
  • Cancer Risk in NAFLD Higher With Early Disease Onset
  • FDA Displeased With Companies Purposely Adding Sesame to More Foods
  • COVID Vax Appointment Cancelled? New Shot Rollout Faces Challenges
  • Medical Residents Receive 100+ Job Offer Contacts, Survey Shows

Meeting Coverage

  • New Schizophrenia Treatments Are Coming: Don't Panic
  • Loneliness Needs to Be Treated Like Any Other Health Condition, Researcher Suggests
  • Stopping Medical Misinformation Requires Early Detection
  • AI Has an Image Problem in Healthcare, Expert Says
  • Want Better Health Outcomes? Check Out What Other Countries Do
  • Most Popular

  • Past Week

    • Reigniting after burnout: 3 physician stories

      Kim Downey, PT | Physician
    • I’m tired of being a distracted doctor

      Shiv Rao, MD | Tech
    • Inside the grueling life of a surgery intern

      Randall S. Fong, MD | Physician
    • The erosion of patient care

      Laura de la Torre, MD | Physician
    • Transforming primary care for physician well-being [PODCAST]

      The Podcast by KevinMD | Podcast
    • Family support is pivotal in the treatment of schizophrenia

      Frank Chen, MD | Conditions
  • Past 6 Months

    • Medical gaslighting: a growing challenge in today’s medical landscape

      Tami Burdick | Conditions
    • I want to be a doctor who can provide care for women: What states must I rule out for my medical education?

      Nandini Erodula | Education
    • Balancing opioid medication in chronic pain

      L. Joseph Parker, MD | Conditions
    • Reigniting after burnout: 3 physician stories

      Kim Downey, PT | Physician
    • I’m a doctor, and I almost died during childbirth

      Bayo Curry-Winchell, MD | Physician
    • Mourning the silent epidemic: the physician suicide crisis and suggestions for change

      Amna Shabbir, MD | Physician
  • Recent Posts

    • Transforming primary care for physician well-being [PODCAST]

      The Podcast by KevinMD | Podcast
    • COVID-19 unleashed an ongoing crisis of delirium in hospitals

      Christina Reppas-Rindlisbacher, MD, Nathan Stall, MD, and Paula Rochon, MD | Conditions
    • Doctors and disability insurance: Protecting your income

      Amarish Dave, DO | Finance
    • Emergency care nightmare: the urgent need for experienced nurses

      Rachel Basham, RN, CCRN | Conditions
    • Physicians have no autonomy. Here’s how to change that.

      Diane W. Shannon, MD, MPH | Physician
    • Understanding intersex health care [PODCAST]

      The Podcast by KevinMD | Podcast

MedPage Today Professional

An Everyday Health Property Medpage Today
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

Leave a Comment

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...