According to Symantec, only 6% of the IT budget allotted in hospitals is devoted to cybersecurity. Therefore, it is no surprise that hospitals are behind other industries when it comes to cybersecurity and are extremely vulnerable to having their patient information compromised.
Medical centers and hospitals are the next frontier for hackers
Aside from not investing in cybersecurity, hospitals also struggle to recruit the talent qualified enough to properly secure the networks as Chief Information Officers often prefer to work within the industries of banking or oil, as opposed to healthcare. Additionally, the sharing of information between several medical professionals lends itself to unsecure practices with computer devices.
Because healthcare is such an interconnected industry, in order to make it easier to handle and treat patients in an efficient manner, several different systems are connected to improve the flow and sharing of information. This system is extremely beneficial to doctors. However, the amount of effort required from hackers to access sensitive information is depleted because of this interconnectivity. Therefore, it is not worth even a medical professional’s convenience.
Healthcare records are lucrative. They can be used to commit potential fraud and allow unauthorized parties access to prescriptions, insurance, Medicare, and Medicaid information. Over time, such records also increase in value and can be held for exploitation. On the black market, healthcare information sells for more than any other personal record at the price of $60. Social Security numbers follow at $15, and credit cards can range from $1 to $3.
While devices such as pacemakers, insulin pumps, defibrillators, and infusion pumps keep people alive and make many lives easier to sustain, there are also several known and unknown vulnerabilities in existence. Internet-connected medical devices possess convenient features such as wireless connectivity, remote monitoring, and near-field communications that allow healthcare professionals to fine tune implanted devices without having to conduct invasive procedures. However, hackers can use these same features to hack the devices and gain access to the hospital network. Additionally, hackers can also utilize search engines, which facilitate the discovery of more than 36,000 devices connected to the Internet. This further simplifies the process of identifying and targeting medical devices for hackers.
Why does this matter?
Patients lives are at risk. The entire purpose of a healthcare system is to provide care, wellness, and healing services for those who are sick. However, the ability for these institutions to provide such services becomes hindered when patient information and the computer/network systems that are heavily relied upon by doctors are compromised. Misdiagnosing or mistreating a patient can lead to death, and the manipulation of medical devices can also attain the same result.
While death is the most serious result of a hospital hack, significant financial loss is an additional concern. Typically, hospitals don’t have thousands of dollars to pay for a ransomware attack and restore the hospital systems. Hospitals also cannot afford to pay the fines levied for committing HIPAA violations. With a hack, also comes litigation fees from class action lawsuits, as well as a loss of customers. Additionally, because there are so many healthcare providers to choose from, if a hospital demonstrates that it cannot protect its patient’s data, then those patients may be inclined to receive care elsewhere.
Consumers could become the victims of these nefarious actions. Buttons on infusion pumps can be remotely “pressed” to drain all the drugs into a person at one time. Insulin pumps can be manipulated to deliver a fatal dose of insulin. Pacemakers can be hacked to deliver a dangerous shock to the heart, and so much more.
If hackers are able to obtain patient records, they can also commit identity fraud which in turn, makes it difficult for patients to verify their identity. Doctors must also face the potential for medical malpractice as manipulated patient data can result in the performance of medical procedures that negatively affect a patient’s health, and as mentioned before, potentially lead to death.
St. Joseph’s Health System in California experienced the consequences from compromised networks. In 2016, St. Joseph’s reached a $28 million-dollar settlement in a class-action lawsuit after patient data and medical history were inadvertently made accessible through the use of online search engines. Ultimately, the health system paid $7.5 million in cash payouts, $3 million for the reimbursement of identity theft related expenses, $4.5 million for identity theft protection for victims, and $13.5 million for other security expenses.
How can consumers safeguard themselves?
Unfortunately, consumers cannot do much to protect themselves.
As patients, sometimes there is a need for medical devices to perform necessary life functions, and the refusal of such devices could also have a negative impact on one’s health. The same is true for hospitals. If a consumer needs emergency treatment, they are typically not in the place where they can force hospitals to strengthen their security posture.
However, there is one thing that consumers can do. They can be vocal.
It is important that consumers are vocal about the importance of cybersecurity. Consumers can advocate for their representatives to push through legislation and petition for more stringent laws that help hold hospitals more accountable for cyber breaches. The safer development of Internet-connected devices can also be achieved with the push for laws that govern the process of approval for manufacturers who create medical devices to demonstrate some level of cybersecurity testing and best practices before being released on the market.
Additionally, consumers can be vocal in their actions as much as their words. Consumers can be proactive about the importance of a secure facility by inquiring about how often their medical providers undergo cybersecurity assessments and finding out if they are HIPAA compliant. Consumers can play a large role in pressuring healthcare providers to take more responsibility with securing their practices.
Antwanye Ford is President & CEO of Enlightened, Inc., a leading IT and management consulting firm founded in 1999. Enlightened serves federal, state, and local government agencies. The company provides cybersecurity, software development and integration, management consulting and business process outsourcing services. In 2016, the company expanded its service offering to support the transportation and healthcare sectors. As a co-founder of Enlightened, Antwanye has led the company's growth from its initial days as a start-up to a diverse organization with over 200 employees.
Antwanye previously served as Director of Applications Support for INTELSAT, leading the business unit’s development of applications, consulting projects and document management infrastructure. He also served as a Development Project Manager at MCI. Antwanye is the Chair Emeritus of the District of Columbia Chamber of Commerce and serves as a current Board Chair of On-Ramps to Careers. He is also a Board Member and Regional Director of the East Coast Division of the US Black Chambers, Inc. and a Board Member of the Downtown Cluster’s Geriatric Day Care Center. Most recently in 2017, he was appointed to the District of Columbia Workforce Investment Council as a Commissioner. A native of Washington, DC, Antwanye earned his Bachelors of Science and Masters of Science degrees in Information Systems Technology from The George Washington University with honors.