Why hospitals should be scared of cyberattacks

If you are a CEO or COO of a health care organization, and your IT people have been trying to get your attention, it’s time to have a serious sit-down with them.

If they haven’t been trying to get your attention, it’s time to have an more serious sit-down with them, complete with charts and graphs and arrows on fip charts.

Here’s why.

Remember in November it was revealed that the Target retail chain’s computer systems were compromised? Some 70 million names, home addresses and phone numbers were stolen (pretty good raw material for identity theft) and 40 million credit card numbers.

It has turned out since then that some two dozen other companies, including Neiman Marcus, the Michael’s arts-and-crafts chain and the White Lodging Services hotel management firm, have been hacked in similar ways, with the attackers software sitting in the companies’ servers, credit card machines and cash registers often for months before they were detected, sucking down every transaction, every bit of data moved about.

Hey wait, you say, I have every confidence in our computer security. Why we passed a security audit just recently.

Heh. So did Target — just before they discovered the break-in. They got a clean bill of health, and the auditors failed to find the malware installed on every server, every credit card terminal, every cash register.

Why? Because the attackers have gotten way more sophisticated, and they used new techniques and methods of entry. You can now buy ready-made hacking software designed to do this on the Internet for less than $1000.

Here’s the kicker.

Target has security guards at the doors, it has those beeper tags on small high-value items so you can’t sneak them out without paying for them, it has burglar alarms — but the perps in the biggest heist in the company’s history entered through the thermostat.

Got that? The thermostat.

Big-box stores have pretty sophisticated HVAC. Hospitals have much more sophisticated HVAC systems. Big-box stores typically outsource the management of such systems to outside firms. Most hospitals do the same. The outside contractor monitors and controls the HVAC over the Internet.

All the sensors, thermostats, switches, control valves and such report to software on the store’s servers. To allow this, the outside contractor is given password-controlled access to the store’s computer system.

How many of your systems, such as HVAC, water/sewage, security, and so on, are connected to the Internet, so that they can be remotely monitored? If you’re doing it right, there are a lot of them, and many are outsourced. Think about that, then read these two paragraphs from a New York Times article the other day:

Remote access to these systems is really common and integrators are almost always on the corporate network,” said Billy Rios, director of threat intelligence at Qualys, a cloud security firm. Mr. Rios said that the security at such companies tended to be poor and that vendors often used the same password across multiple customers.

Over the last two years, Mr. Rios and Terry McCorkle, also of Qualys, said that they found 55,000 HVAC systems connected to the Internet. In most cases, they said, the systems contained basic security flaws that would allow hackers a way into companies’ corporate networks, or the companies installing and monitoring these systems reused the same remote access passwords across multiple clients.

If that didn’t make your blood feel like it’s been run through a chiller, it ought to. How certain are you that your patient and payment information is separated by an impenetrable wall from your plant-monitoring information? What about your system makes it invulnerable to this style of attack? How is the data in your system encrypted against anyone who might penetrate the firewall?

Hey wait, you say, we’re not a high-value target. We don’t have millions of credit card numbers. And why would anyone want to steal millions of health plan account numbers? Or even millions of medical histories?

Maybe you’re right. But think about this: We are in the middle of a massive move not only to computerize the entire patient experience, but to pull together all the different pieces into comprehensive records that include enormous amounts of personal information, from address and credit card information to sexual health, addiction and other embarrassing private stuff.

Keep in mind that the ACA and other recent changes will greatly ramp up the amount of substance abuse and other behavioral health issues that are covered as part of the mainstream record.

Now picture a black hat advertising on hacking forums: “We can get you the medical records of anyone — any celebrity, wealthy person, or blackmail target.” And they can say that because they have penetrated the nets of information that flow between hospitals and payers, as well as the internal systems of hospitals and clinics.

But it’s even more important than that. Health systems, clinics, and hospitals depend on their customers having a feeling of trust and safety in bringing their problems and medical details to you. If people feel that you’re a sieve, they will take their problems elsewhere. You seriously do not want your institution named in a headline about a data breach.

So CEOs, COOs: Time for a good long detailed talk with your IT people.

Joe Flower is a healthcare speaker, writer, and consultant who blogs at Healthcare Futurist: Joe Flower

Leave a Comment

Most Popular

Get KevinMD's 5 most popular stories.