BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
At a 2011 hacker convention, just to prove he could, a hacker demonstrated he could control his implanted insulin pump with a $20 wireless transmitter. In a related experiment, a McAfee Inc. researcher demonstrated that he could wirelessly hack a pacemaker to deliver an 830-volt shock from 50 feet away.
It's all fun and games until someone is assassinated. And you're the CIO on the hook for vulnerable facility devices and a lack of patient data security.
Medical cybercrime is the next frontier when it comes to health care.
white hat hacker
Echemendia outlined how cloud storage systems and desktop virtualization offer new vulnerabilities that hackers can exploit. "Everything now is an application; everything now is an app. The truth is most hackers, malicious or otherwise, no longer focus on the network; they don't care about it. What we really care about is the application, because the application has data."
Criminals, Echemendia said, are still mostly accessing data because they can resell it to other criminals, or steal things themselves by using it. In his presentation he outlined some of the next-generation threats to patient data security, as did a panel at the PHI Protection Network Forum in Cambridge, Mass., which included Gary Gordon, managing partner at Bluewater International; Debbie Wolf, principal at Booz Allen Hamilton; James Christiansen, chief risk officer at RiskyData; and Allison Dolan, privacy project specialist at Massachusetts General Hospital.
They suggested health care CIOs hardwire the following threats into their organizations' HIPAA risk assessments of technologies that are in use or of those that are planned to be part of future implementations:
- Used hard drives: Google this phrase or search on eBay. Your research will probably show that they sell for a lot more than new ones cost, and that's because unencrypted, used data on the drives is more valuable than the hardware itself.
- Online documents: Google has means of searching for specific document formats (i.e. "filetype:doc", "filetype:PDF", etc.), and any document your organization has uploaded to a website can be found this way. Metadata, passwords, even content that has been deleted on the screen but retained and viewable within, for example, a Word doc's history (Echemendia pointed out that new documents aren't always new, but rather "save as" versions of old documents). Live from his presentation, he manipulated the search operators and quickly Googled an unencrypted database containing 2,400 veterans' Social Security numbers that also included other data points such as date of birth -- handy validators for identity thieves ready to use them.
- Data held hostage: Hackers are taking a more direct approach to monetizing their thefts by stealing data and demanding ransoms for its return, which actually happened to a small, suburban Chicago medical practice.
- Counterfeit medical devices: Related to the hackable devices mentioned at the beginning of this story, counterfeits can be intentionally or unintentionally left open to hacking. That can be attributed to insecure supply chains.
- Shredded documents: Argo may have won the best picture Academy Award because of its thrilling story of Americans escaping Iranian hostage-takers in 1979, but it also has a lesson for hospitals protecting patient data and data thieves looking for creative new ways to access it: Yes, it's true that Iranian authorities reassembled shredded documents to pursue the movie's heroes, and yes, that reveals a patient data vulnerability. The fix? Use next-generation cross-cut shredders for document disposal.
- Hacktivists and state-sponsored attacks: While it's not on the radar right now, security experts worry that groups such as Anonymous could target health care companies with whom the shadowy hackers disagree. Far scarier are the much more stealthy, organized "advanced persistent" malware threats sponsored by government entities. They're sophisticated enough to sit on networks undetected until the bad guys decide to make their move, as opposed to "noisy" hacker attacks that are quite evident in their brute-force appearance.
- Celebrity patients: Famous patients can be actual celebrities or popular athletes, or just someone in this morning's local paper identified as an accident victim whom people are curious about. Because more access is granted to records through electronic health record (EHR) systems and mobile devices hooked to them, these records carry more risk than the average patient and should be monitored accordingly.
- Social media sites: Hackers are infusing social media sites with malware that can burrow into networks; or, like the above ransom example, hold a computer hostage by locking it and the data on it for a monetary sum. Christiansen said he experienced a $200 ransom demand on his own laptop when he clicked on a LinkedIn link that led to malware.
- Business associates in general: It will be "staggering" to monitor all the companies with whom your hospital is working to make sure they have proper risk assessments and physical controls in place, Christiansen said. The number of business associates a medium-sized hospital might have could number into the thousands. Auditing each one to make sure they have read your business associate agreement before signing will be nearly impossible for the CIO and compliance staffers involved with administering them, let alone confirming they have the policies, risk assessments, encryption and other security technologies, as well as physical access controls in place.