Slashdot Mirror

← Back to Stories (view on slashdot.org)

2015 Could Be the Year of the Hospital Hack

Posted by samzenpus on from the protect-ya-neck dept.

schwit1 writes After Obamacare required hospitals to convert all health records into electronic files, those records are now very vulnerable, and experts expect hackers to target them in the coming years. From the article: "Along with vast troves of credit card information and celebrity snapshots, hackers stole a record number of medical records from U.S. health-care facilities this year. In 2015, attacks targeting health data will become even more common, according to security researchers....The cause of the uptick isn't hard to diagnose. Medical organizations across the world are switching to electronic medical records, and computer security is not always a high enough priority during the process, says Leonard. Besides that, he says, easy and fast access to medical information often trumps security."

7 of 130 comments (clear)

  1. Oh, I wouldn't worry about it. by ColdWetDog · · Score: 5, Insightful

    EHRs in general are so fucked up that even legitimate users can't figure out what the hell is going on most times.

    I tell you what guys. If you do manage to hack into a bunch of systems, could you gin up some code that allows you to get the information out of all of them and put them in one useable place? Despite millions of dollars and countless lines of code, the vendors have yet to make that happen.

    --
    Faster! Faster! Faster would be better!
    1. Re:Oh, I wouldn't worry about it. by Anonymous Coward · · Score: 1, Insightful

      Don't apologize for the EMR vendors and stereotype physicians. I have seen EMR deployed in a medium sized hospital that had race conditions that caused the patient's meds order to be doubled. I actually witnessed this happen myself while observing a doc submit their orders. In case you aren't aware, this type of bug could have fatal outcomes for patients.

      I have also seen a PACS where the vendor-managed system would run out of disk space and make it so no radiologist could login... and the entire hospital was now on digital imaging. Maybe you would like to be admitted to a hospital ER where no one can read your CT scans, but as for me, "no thanks". I also liked that this vendor would push out software upgrades overnight with no notice and no published changelog.

      So, don't simply presume docs are luddites and your EMR is a panacea if we could only see how wonderful it is. EMR *might* be a ney gain if it were coded more like avionics rather than a ramshackle clusterfuck from a dev team who has never heard of unit testing, much less a test-driven development SDLC.

  2. this isnt an "obamacare" thing. by nimbius · · Score: 4, Insightful

    electronic medical records were basically mandated by insurance companies and hospital executives in an effort to reduce overhead in paper, postage, and ancillary staff related to records processing. If you've never heard of companies like ACS, its hard to imagine a workforce of almost 3000 people standing over banks of scanners, feeding paper records into a hopper, for $9 an hour in 3 shifts. Electronic medical records would have been a thing with or without the ACA. Mandating them was just icing to get insurance companies to go along with the act.

    what we at slashdot can agree on is that, ostensibly, this should mean an increase in IT staff. qualified professional network and systems administrators to secure and protect patient data. But thats not mandated in the ACA, and anyone working in IT for a hospital can attest wages are stagnant. But you can expect obama to be a lightning rod for shit like this because thanks to a fervent neoconservative effort most people cant even remember the Affordable Care Act. All they hear is "Obamacare"

    --
    Good people go to bed earlier.
    1. Re:this isnt an "obamacare" thing. by Attila+Dimedici · · Score: 3, Insightful

      That is not true. There were medical care providers who were making the transition to EMR. The problem was that not enough were making the transition as fast as the companies which had decided to make a business out of transitioning them to EMR had anticipated. Since the people who had invested in these companies based on that anticipated rate of transition were politically connected the government was used to speed up the transition.

      --
      The truth is that all men having power ought to be mistrusted. James Madison
  3. Re:Cash Doctors by ColdWetDog · · Score: 3, Insightful

    In fact my medical records folder comes home with me from my visits and does not even physically stay in his office.

    No, it doesn't. At least in the US, the original stays in the office. You might get a copy but even here in Nuttville we're not crazy enough to let the patient have the canonical record.

    Besides, you do realize that your pharmacy sells your prescription information to mining companies and that the states typically monitor any restricted drug with a system of your own?

    The only way to stay perfectly anonymous is to get care out of the country or stay healthy.

    --
    Faster! Faster! Faster would be better!
  4. Hospitals are a stupid target by Stargoat · · Score: 3, Insightful

    Hospitals are a pretty stupid target in comparison to banks, physical retail environments, and online stores. A hospital DB might contain a social security number, addresses, illnesses, and birthdate. So what?

    If you can get into a bank, you get money account info, credit scores, security tips, former trades, credit cards, all sorts of good stuff. If you get into a retail environment or online store, it's almost as good. Basically, you get money to spend. In a hospital though, the only unique thing you find out is if someone is sick and with what. That's a pain in the ass to work with. You can try to get more info from all that PII, but again, it's a pain in the ass and available elsewhere. Other stuff is more lucrative for the investment of time, criminal risk, and energy.

    If you were a terrorist, a hospital might be a bit more interesting, but the various hospital disasters I have read about demonstrate that there isn't much a hacker can really do to hurt people. Nurses at the end of the day don't do stupid things and doctors aren't much worse.

    No, hospitals are a stupid place to expend effort.

    --
    Hoist Number One and Number Six.
    1. Re:Hospitals are a stupid target by Anonymous Coward · · Score: 3, Insightful

      The glut of credit card data on the market means that the going rate for credit card data on the black market right now is about $1/account. Contrast this to $10/health record. (http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924)

      Why?

      1) health records have excellent data to facilitate identity theft
      2) banks have much more rigorous anti-fraud systems in place, and consumers know to check credit reports
      3) Because of #2, fraudulent health insurance claims schemes are going to be able to make more money over a longer period of time
      4) health records of federal employees or political figures provide excellent data for politically motivated attackers, including state-sponsored threat operators acting as part of, or on behalf of a foreign intelligence service, who would use this information for blackmail/extortion, or to influence the outcome of an election.

      I am an infosec guy at a large health insurance company, and these (among other things) are the sorts of motivations that we are concerned with, which is why I am posting anonymously. However, I will say that in order to adequately defend any asset, you have to have a circumspect view of the value of that data to an adversary. Some things are worth more than others to different people. Recognizing that fact is an important step in developing a proper defensive strategy. If I were you I would not so quickly write something off just because I didn't immediately see the value in it myself. Just sayin'.