Has Health Care Hacking Become An Epidemic?


One in three Americans, more than 113 million medical records were compromised in 2015. 2016 statistics show the trend will be worse, with one in four Americans affected.

Has health care hacking become an epidemic?

BY NSIKAN AKPAN  March 23, 2016 at 6:19 PM EST

In February 2015, Anthem made history when 78.8 million of its customers were hacked. It was the largest health care breach ever, and it opened the floodgates on a landmark year. More than 113 million medical records were compromised last year, according to the Office of Civil Rights (OCR) under Health and Human Services. Consider it this way: if each case represented a single individual, one in three Americans would have been a victim.

This year looks tame by comparison, but it’s only March, and 3.5 million medical records have already been compromised. Based on this this list from the U.S. Department of Health and Human Services, the health care industry has averaged close to four data breaches per week in 2016 so far.

“If you think about it, that’s pretty bad, because we all interact with the health care system,” computer scientist and information security expert Avi Rubin said while discussing the state of hospital cybersecurity at the USENIX Enigma Conference in January.

Before becoming director of the Johns Hopkins University Health and Medical Security Lab, Rubin provided cybersecurity for companies across many industries. Banks. Car-rental companies. Retail stores. You name it. But the health care sector was the “absolute worst” in terms of cybersecurity problems, he said.

“Their data security practices were so far below every other industry,” Rubin said.

Indeed, the health care sector ranked second in U.S. data breaches in 2015 and placed in the top 10 on Verizon’s global hacking report.

What does this look like on the frontlines? Boston’s Beth Israel Deaconess gets hacked every seven seconds, the hospital’s CIO John Halamka reportedly said at South by Southwest two weeks ago. In 2011, cybercriminals in China stole 2,000 patient X-raysfrom Beth Israel Deaconess. Halamka said the scans are often sold to Chinese nationals who can’t pass health exams for travel visas.

Still, medical cybersecurity gets little attention in mainstream conversations, such as on the campaign trail. The words “hack,” “cyber attack” and “cyber warfare” have only been mentioned 16 times during the major Republican presidential debates. The record is even worse for Democratic candidates, with only a single utterance of “cyber warfare” by Senator Jim Webb during the October 13 debate. Neither party has used any of these terms in the context of health care cybersecurity during the primary debates.

But here are three reasons why everyone should care.

  1. Your health records have become currency

“Electronic health records are 100 times more valuable than stolen credit cards,” said James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT) in Washington D.C. Members of Scott’s institute hold regular meetings between lawmakers and tech experts to foster cybersecurity policy. While numerous safeguards exist for financial information, fewer protections exist for health data, which is much more valuable, Scott said.

“With credit cards, the money is insured. If the bank is FDIC-backed, most people who have their credit card numbers stolen won’t actually lose the money. The bank makes up the difference,” Scott said. “But with electronic health records, the reason that hospitals and insurance companies are such a big target, first, is because of the payoff.”

A single Medicare or Medicaid electronic health record can fetch a $500 price tag on darkweb forums, Scott said. Experian, the global information service, estimates that health records are worth up to 10 times more than credit card numbers on the black market.

“If you purchase 100 electronic health records, you have everything for each of those people — social security number, all the addresses, their kids, their jobs,” Scott said. “Malicious actors want as much intelligence as they can get, and health care is the easiest attack surface for seasoned and non-seasoned hackers.”

Data breaches cost the healthcare industry an estimated $5.6 billion per year.

  1. Your hospital cybersecurity might be leaky

Health care occupies a vulnerable cybersecurity space. With the rise of health frackers, self-care and personalized medicine, people, doctors and regulators want easier modes of access to patient data. The dangers come from opening huge highways for sharing and storing data without the proper digital protections, Rubin said.

As an experiment designed to identify vulnerabilities, Independent Security Evaluators spent the last two years trying to penetrate the cybersecurity of 12 health care facilities and two health care data centers in the United States. Don’t worry; they were hired for this purpose.

At one hospital, the team hacked a computerized medicine dispensary by littering several floors with 18 malware-containing USB sticks. Each USB had the hospital’s logo, which may have been enough to convince an unwitting employee to use one. If the hack had been malicious, then the attacker could have altered the drug dosages, a potentially life-threatening scenario for a patient. At another hospital, they utilized an unguarded lobby kiosk to access the bloodwork records of patients, which in theory, could have been switched to yield improper treatment.

Locations of the medical facilities targeted in the Independent Security Evaluators study. Photo by Independent Security Evaluators

Websites are another avenue for cybercriminals, according to Independent Security Evaluators. The team pretended to be a patient logging on to an electronic health record website, but they filled the patient information fields with malicious code. When an unsuspecting administrator — a doctor or a nurse — viewed this new patient information the malicious code was installed, inadvertently granting a hacker “the full ability to modify the health records of all patients in the database,” Independent Security Evaluators wrote in a report published February 23.

Patients also carry these vulnerabilities with them, in the form of smartphone health apps. A survey of 211 diabetes apps in the Google Play store found that 81 percent lacked privacy policies. Of the remaining 41 apps with privacy policies, 25 apps (61 percent) would share user data if required by law; 20 apps (48.8 percent) shared user data with third parties; and 16 apps (39 percent) permitted user data to used for advertising purposes.

“This study demonstrated that diabetes apps shared information with third parties, posing privacy risks, because there are no federal legal protections against the sale or disclosure of data from medical apps to third parties,” the study’s authors from the Illinois Institute of Technology Chicago-Kent College of Law wrote. “Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that generally is not the case. Medical professionals should consider privacy implications prior to encouraging patients to use health apps.”

Rubin recommended policies like encrypting all patient data, limiting who has permission to view medical charts to prevent breaches at hospitals and multifactor authentication. The number of searches placed into hospital databases should also be monitored, he said, to catch instances when hackers might be downloading large batches of health records at once.

  1. You might be missing the biggest flaw in your cybersecurity.

That’s because the biggest flaw in your cybersecurity is probably you.

The ongoing plague of ransomware is a great example. Ransomware holds hostage a victim’s computer or digital files by encrypting them, and it has existed in various forms since 1989. However, the latest incarnation — crypto ransomware — has spread like wildfire since its emergence three years ago. More than 128,000 desktops were hit by ransomware during the final quarter of 2014. By the middle of 2015, this number had mushroomed — doubling to 337,000 cases.

In February, Hollywood Presbyterian Medical Center became one of the latest high-profile victims of ransomware. Hospital president and CEO Allen Stefanek described the attack as “clearly not a malicious” and “just a random attack,” which is indicative of the primary route for this ransomware: a tainted email. The ICIT claims the medical centerwas struck by Locky crypto-ransomware, which arrives in an inbox as a Word documentin an email attachment.

This brand of attack is known as phishing — wherein hackers mask malicious code within a legitimate-looking email or webpage. This fake correspondence is laced with features designed to convince a victim to click — that’s known as social engineering.

There are two common versions of these hacks, known as spear phishing and whale phishing, and they’re engineered to capitalize on human nature and trust. The celebrity nude photo hack: spear phishing over email. A teen cracked into CIA Director John Brennan’s email by phishing a Verizon employee over the phone.

“Spear phishing is when an adversary will email you, and it looks like a message from a legitimate source. But then when you look closer, @newshour.org is @newshour.uk or .co or something,” Scott said. “Whale phishing is when you’re maybe sending three emails that are highly targeted. [The hackers] design a couple emails tailored through social engineering research that they gather from social media and whatever you put about yourself out there online.”

Cyberthieves often gain intelligence via semi-public social media platforms like LinkedIn, Scott says.

“They can see where you went to college, where you worked. And then they can dig deeper and find your Facebook and find out when you were married. A lot of times, it just comes down to doing your homework,” Scott said.

He adds that education is the key to preventing phishing attacks at hospitals.

“Hospitals and insurance companies need to educate their employees:‘This is what a spear phishing attack looks like.’ ‘Here’s what a spoofed browser looks like.’ ‘Look at the email, what’s different from this email and that email.’” Scott said. “When you get these weird things, you should forward the email to your information security guy at the company.”

He can open the suspicious email in a virtual private network, so the malicious code never gains access to his computer or the company’s network.

President Obama’s recently announced the Cybersecurity National Action Plan, which commits $62 million to educating the next generation of cybersecurity personnel, but it doesn’t mention training for regular folks on social engineering employed by hackers. If people keep opening the door to malicious code, no high-tech encryption, security software or legion of IT employees will be able to stop them.

“It’s training people not to click. That’s the thing. It’s crazy, but teaching people not to click is so hard. Just don’t click,” Scott said.

Nsikan Akpan

Nsikan Akpan is the digital science producer for PBS NewsHour.