Skip to content Skip to navigation

Report: Healthcare Industry Facing Increasing Threats from Hackers

October 24, 2012
by Gabriel Perna
| Reprints

A new report from the Milpitas, Calif.-based data security software provider, FireEye, looked at the security landscape across various industries. Healthcare providers may not like what they see.

 The report’s view of the threat landscape, conducted by FireEye’s Malware Intelligence Lab, found that between January and June of this year, the number of incidents that evade traditional security defenses and trends nearly doubled in the healthcare industry. The industry, the report notes, is facing a persistently increasing threat as healthcare organizations adopt EHRs.

The threats, according to Ali Mesdaq, security researcher at FireEye, have increased for a variety of reasons. He says through the digitizing of medical records, the industry has accumulated sensitive data that can be used by hackers for financial reasons. Furthermore, he says, the security measures within healthcare are not as mature as other industries.

“They are not as protected as other industries that have been under attack for a longer time, like the financial industry, the defense industry or the government. They have more budget and measures in place to protect themselves. With healthcare and also the energy and utilities industries, they are just starting to shift to protect themselves.  [Because] they haven’t been under attack as much, and haven’t focused on it as much.”

In addition, Mesdaq suggests the culture of the healthcare industry is a little bit more laid back than others and notes many data breaches occur with lost or stolen USB drives.  Overall, hesays the report’s authors saw a focus on a larger amount of attackers going after providers, back-end processing payers, and trying to infiltrate healthcare’s numerous moving parts.

Other reports have similarly given a critical eye to the healthcare industry. A report from Verizon communications research, says the number of publicly-reported breaches in healthcare since the implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act has spiked.

The report says while some in the industry are hacking to send a message to providers that they must stress the importance of protecting their electronic medical records, the actual threat landscape is much more in line with run-of-the-mill cybercrime seen in other industries. “The vast majority of attackers seek information from which they can directly or indirectly profit. This includes personal and payment information (including patient health and insurance data) used to supply organized criminal groups with what they need for all manner of fraudulent schemes,” that report found.

Proof of this, the Verizon report’s authors found, is that most attackers on the healthcare industry have hacked into point-of-sale systems and other assets in the payment chain. The threats aren’t just hack attacks, either. They can come from malware derived from emails, which ultimately callback to a central server and can spread to other systems. FireEye’s Mesdaq says leaders at healthcare organizations can’t afford to ignore this trend.

“You have to start to put a price tag on worse case scenarios,” Mesdaq says, “and consider them very possible. The worst case scenario could be that someone gets all your patient and payment information. With this information, an attacker could literally open up accounts in the person’s name, as well as take money out of their accounts. That gets them from both ways. You have to put a price tag on that, if this happens, what’s that worth to the company [to protect]. Recognize that it could happen and strategize, and address the possibility of that threat.”

For a detailed look at how healthcare providers have responded to data breaches, and how they’re dealing with this increasing threat, see the most recent issue of Healthcare Informatics, and this feature: Data Security 101: Avoiding the List.  



Great article Gabriel, thanks for highlighting this. As you pointed out, the healthcare industry has not had to place such an important emphasis on information security as other industries because of the lack of digitalization in place.

What should also be pointed out is that even though the focus of the article is using patient data for financial means, it should not be underscored that breaking into and changing or stealing a patient's clinical data is the other major potential threat. Unlike other industries that can reset information or wipe the slate clean after a data breach, in healthcare in could be a matter of life and death. Furthermore, the potential for additional damage is proliferated when data is shared across health information exchanges and integrated deliver networks, exacerbating the problem even more.

Healthcare needs to shore up security for a variety of reasons beyond financial data manipulation and the problem could get worse as we open the door to the use of electronic medical records for multiple purposes.