Tuesday, February 19, 2013

Unhealthy Healthcare Hackers

What business or organization collects and stores more sensitive personal information than does your doctor, hospital or other health care provider?

What business or organization is more careless or takes more risk with your sensitive personal information than does your doctor, hospital or other health care provider?

The answer to both questions may be "none."

According to Avi Rubin, a computer specialist and technical director of the Information Security Institute at Johns Hopkins University, he has "never seen an industry with more gaping security holes."  In a December 2012 article in the Washington Post, Rubin said, "If our financial industry regarded security the way the health care sector does, I would stuff my cash in a mattress . . ."

That's the bad news.  The good news is that so far there have been relatively few attacks directed at U.S. health care facilities.  However, the U.S. Department of Homeland Security says health care is a growing target to what they call activist hackers, cyberwarriors, criminals and terrorists.

A DHS memo last year warned "These vulnerabilities may result in possible risk to patient safety and theft or loss of medical information."

Johns Hopkins' Rubin cites aging software, the mandatory adoption of computerized  personal health records and a culture of physicians, nurses and health care staff who routinely ignore basic security measures, including strong passwords, in favor of their own convenience while putting your private information at risk.

He reported a conversation with a nurse who told him part of her job was typing-in a physicians' password in any computer he might want to use in the hospital, so the doctor would not have to, even though it meant leaving terminals "on line" and unattended.

Health care privacy laws are among the most complicated, or at least many doctors and hospitals act like it, but then fail to take even basic steps to safe-guard your personal information once it is entered into their computers.

Rubin told the Washington Post reporter that health care "is an industry with the least regard, understanding and respect for IT security of any I've seen, and they have some of the most personal and sensitive information of anyone."

A year ago, someone hacked into a network server at the Utah Health Department and possibly downloaded Medicaid records for 780,000 people.Utah officials tracked the hackers to computers in Eastern Europe.

Doctors, hospitals and other health care providers cannot afford to be careless with your medical records and personal information.  Their income AND their reputations are at stake.

No comments:

Post a Comment