CHICAGO -- As deputy assistant director of the FBI's Cyber Division, James Trainor now has healthcare cybercrime as a big part of his portfolio.
That's a big change.
Until the last few years, cybercriminals didn't have health IT data networks in their sights nearly as much as networks in other industries, such as finance, Trainor told a packed meeting room at the HIMSS 2015 conference.
Healthcare cybercrime on the rise
Now healthcare is a considered a top target, Trainor said.
"The speed of these attacks and the volume with which they're occurring is increasing significantly," Trainor said. "It just requires a much more robust response across the U.S. government and private sector."
Major intrusions into healthcare providers' computer systems now are happening at the pace of two or three a day, the FBI agent said.
Meanwhile, health IT executives are now recognizing security as their most critical IT infrastructure need.
Homeland security aware of health data threat
Trainor's sentiments were echoed on a HIMSS 2015 security panel by Department of Homeland Security (DHS) contractor Kevin Hemsley, project manager at the Idaho National Laboratory supporting the DHS's Industrial Control Systems Cyber Emergency Response Team.
Hemsley concurred with some of Trainor's experience in dealing with the new healthcare cybersecurity threat in that most of the incursions are from criminals in other countries, with about half the attacks coming from hackers who receive support from foreign governments.
Cyberattacks are not always motivated by a desire for financial gain, both law enforcement officials said. Sometimes they are a form of industrial espionage as hackers try to learn and replicate work processes of U.S. healthcare providers.
Internet of Things vulnerability
Hemsley also identified connected medical devices that are part of the fast-growing Internet of Things trend in health IT as a new source of worry for security officials and executives.
That is largely because the proliferation of the devices offers so many new points of entry to data systems, making not only security, but also safety, a worry, he said.
"Everything is interconnected," Hemsley said. "You can make devices do things they were not intended to do. When we connect this stuff directly to the Internet, we suffer the consequences."
Healthcare sometimes unprepared
For Trainor, one of health IT's biggest challenges is that security "is not really one of the core competencies of the industry." Rather, providing medical care is.
The industry's other vulnerabilities include the rapid growth of EHRs with their giant storehouses of health and financial data, and the bring-your-own-device culture of many healthcare providers, Trainor said.
Also, data in patients' medical records has a "longer shelf life" than financial data, for example, because financial accounts can immediately be frozen, Trainor noted. The greater longevity of the health data makes it more valuable, he said. Criminals can use it for prescription fraud, insurance fraud and identity theft.
FBI ready to respond to healthcare cyberattacks
Trainor urged health IT professionals to deal with data breaches right away and call in the FBI in the case of major incursions.
All were eventually widely publicized. But some other similar data losses don't get much public attention, Trainor noted.
"We contact victims every day to tell them they have a compromised network," Trainor said. "When a breach occurs it's better to be called sooner rather than later so we can identify quicker who the adversary is."
Healthcare data security discussed at RSA Conference 2015
EHR theft a recent development in healthcare cybercrime
HIPAA audits to scrutinize business associates