Over the holidays the Washington Post published a lengthy investigation into healthcare data security and found it full of gaping holes.
The two biggest conclusions of the article were:
- There is a culture among healthcare professionals that eschews security, one where healthcare workers “sidestep basic security measures, such as passwords, in favor of convenience.”
- Medical devices, such as defribulators and insulin pumps, are vulnerable to hacking.
The best description of healthcare data security? “I have never seen an industry with more gaping security holes,” Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University, told the Post. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”
Healthcare Professionals’ Laxity
During Rubin’s research, he found “that doctors and medical workers used the same computers to connect to both the Internet and internal networks,” a big security no-no that provides “a pipeline for attackers into the sensitive networks.”
In one extreme case, Rubin interviewed a nurse who admitted part of her duties included “typing in a physician’s password constantly so that the doctor would not have to, leaving the unattended machine unprotected.”
Medical Devices Vulnerable
The Post article made a point to mention that as more and more medical devices are computerized, the risk for hacking grows. However the Post was unable to find any documented cases of hacking of devices, only anecdotes.
The risk has long been known. Recent IT security magazine SC wrote at length about security holes in healthcare electronic devices, such as radiology systems, which though are connected to a hospital’s network, do not have the same security as other systems.
This equipment is not subject to the same security management requirements as other patient systems because of different regulations, says Barbara Filkins, a security consultant specializing in health care. Another article in SC Magazine extrapolated the frightening possibilities of insecure medical devices.
But What About the Revenue Cycle?
The Post article did not mention security risks by healthcare’s revenue cycle systems. The article takes great pains to point out that most hackers focus on those systems that provide access to money. But the investigation did not uncover any unusual hacking of healthcare business office systems — where the money is.
Read it? Love it? Want more of it? Make sure you register on insidePatientFinance.com today for the weekly Patient Finance insider and you won’t miss the ongoing great content from our site!