Medical Data: Why the FBI Says Hackers Are Targeting EHRs Now

EdwardKeiperWhy Would Hackers be Interested in Medical Data?

By Edward Keiper, President and CEO of Velocity

No doubt, security is always a top concern when handling patient information. But now there’s even more reason to be cautious: The FBI recently issued a warning that electronic health records (EHRs) and medical devices are likely to be the next big targets for hackers. Even more frightening: A concerted attack is likely to occur by the end of this year or early in 2015.

This begs the question: Why would hackers be interested in medical data when they could be targeting retailers and banks to gain access to customer financial information?

The FBI states that medical data can command high payouts on the black market. Consider that the going rate for a stolen social security or credit card number is $1, compared to $50 for a partial EHR. That information can then be used to file fraudulent insurance claims, advance identity theft, and obtain prescriptions.

Even more enticing to hackers: It often takes twice as long to discover medical data breaches because victims don’t immediately realize that their information has been compromised.

With the January 2015 deadline to transition to EHRs approaching, the FBI warns that hackers may find the sudden influx of online medical data too tempting to pass up. In addition, medical devices that include online tracking and monitoring are also risk, according to the report.

Proven Data Vulnerability

The root of this problem is that the medical industry’s cybersecurity simply isn’t on par with that of retailers and banks that are already accustomed to arming themselves against hacker attacks.

A report by SANS released earlier this year reveals that the healthcare industry is “poorly protected and ill-equipped” to handle the latest cybersecurity threats. One key reason: Internal IT departments typically believe that their security measures are adequate, even when the data shows otherwise. Keep in mind, 94 percent of medical institutions reported having been hit with a cyber attack.

Where the Risks Are

Where are the biggest points of interest for hackers? The SANS report points to exploited radiology imaging software, video conferencing systems, digital video systems, call contact software, security systems and edge devices such as VPNs, firewalls and routers.

Default administrative passwords were shown to be a massive weakness, and were often the culprit in allowing enterprises to be exposed to risks for months before detection.

Ignoring these predictions won’t make them go away; your medical practice needs a strategy.

Consider this a call for aligning with an IT partner that knows what it’s doing, that has extensive experience with medical practices, and that has a fortress-like data center.

If you suspect your organization has been attacked, contact your local FBI office or call 202-323-3300.

This article was originally published in the Velocity blog and is republished here with permission.