Why Medical Records Are the New Data Honeypot

…and what physicians and their vendors should do about it.

The healthcare industry is the “grandparent” of the IT security world. Despite having the potential to save $60 billion with investments in digital technologies collectively, the healthcare industry remains infested with old, expensive-to-replace legacy technologies filled with vulnerabilities.

2016 saw a 63% increase in healthcare-focused cyber-attacks, and earlier this year, NHS hospitals in the UK were forced to turn away non-life-threatening patients when various hospital systems were crippled by the crypto locker virus WannaCry. Despite all of the evidence that suggests hackers are explicitlytargeting healthcare institutions, proposed HHS budget cuts mean health organizations in the US will be facing this growing threat equipped with fewer resources than in previous years.

Assuming the government isn’t suddenly going to start throwing money at healthcare, what specific IT vulnerabilities should healthcare institutions be aware of, and how can providers keep their systems secure?

What are the most giant stumbling blocks for healthcare IT security?

The healthcare industry’s continued dependence on old technology means many devices in use are no longer supported by security updates and are susceptible to medjacking and other backdoor hacking. Some healthcare organizations aren’t even aware that as of April 11, 2017, Windows Vista is no longer supported by Microsoft, making Windows 7 the oldest operating system you should have installed on your computers.

 Because of the valuable and confidential nature of the information held by healthcare institutions, federal and state security regulations are rightfully extensive. Still, their rapidly evolving complexity has made it increasingly difficult for healthcare companies to keep up with compliance.

 There is an elevated motivation for hackers to target healthcare institutions because they are more likely to pay hackers’ demands since the consequences of a hospital’s system going offline (even for a brief time) are quite literally a life-or-death situation. To avoid human suffering and circumvent malpractice and liability risks, hospitals have higher pressure to recover stolen information and unlock blocked data.

What’s necessary to solve health IT’s chronic security problems?

Looking at the big picture, significant changes will need to occur to improve security and widespread adoption of best practices in the healthcare industry.

Recently, the Bipartisan Policy Center (BPC) released a report on the relationship between patient safety and improving health IT implementation. The report’s top suggestions to advance the development and adoption of health IT run parallel to the advancements needed regarding IT security. The report calls for:

1. Developing coordinated leadership to set and guide health IT priorities.

2. The promotion, dissemination, and regulation of best practices that address priority health IT issues.

3. The continued advancement and adoption of strategies and standards across healthcare institutions.