The Internet is no longer an informational resource only, it’s a necessity for personal and business communication. Our lives are now full of E-mails, websites, cloud storage services, online banking and retail purchases. We conduct our business over the internet with almost reckless abandon; we enter our bank account numbers into websites without hesitation. Unfortunately, this presents cyber thieves with many opportunities to steal us blind through fraudulent activity. The healthcare industry isn’t immune to cyber threats – in fact, private medical data has tremendous value on the black market because it can be used for traditional identity theft or sold to underground labs that churn out fake prescriptions for narcotics using your stolen medical history as proof of authenticity.
Healthcare Information Technology (IT) security needs improvement because there are many people with access to systems and devices, from the cable guy who installed your internet connection, to employees at a remote storage facility storing medical records. The industry needs to move away from purely electronic data management and employ information technology security precautions including network segmentation, using strong passwords, anti-virus software on computers and servers, keep critical databases offline unless necessary for use in an emergency situation and encrypting sensitive patient data files.
“So what does this have to do with pharmacy?”, you might ask.
Patients want their prescriptions filled quickly by a pharmacy that can deliver their medications promptly without delay or inconvenience. Pharmacies are under pressure to cut costs while increasing efficiency; they’ve begun moving toward centralizing the prescription process at larger facilities where pharmacists can distribute medications throughout the day while technicians scan medical information to determine appropriate drug therapy. This is an area of potential problems because medical data must be transmitted across open public networks not directly connected to the internal pharmacy network.
Let’s look at major security incidents in healthcare. One major incident occurred in late 2016 when Hollywood Presbyterian Medical Center in Los Angeles, CA was held hostage by ransomware hackers who demanded over 3 million dollars worth of bitcoin to decrypt all their files. Ransomware is software installed on computers or servers that encrypts its system files, rendering them unusable until a ransom payment is made using bitcoin or other online currency platform. The hospital paid 50 bitcoins (approximate value $17,000) to unlock their files and resume normal operations. Ransomware attacks aren’t isolated to large hospitals; they happen at smaller facilities as well.
Another major incident occurred in 2015 when multiple Hollywood celebrities had their personal medical records stolen from a hospital-affiliated physician’s office through an email phishing scam. The criminals hacked the systems of the celebrity’s publicist and then posed as her using fake email accounts to contact individuals on her staff seeking access to sensitive information, including medical history and test results. Some of these celebrities were targeted more than once with this tactic over a period of months before law enforcement was notified by one victim who immediately recognized that his account had been compromised due to recent unusual activity on his computer such as unknown logins to an email account.
Yet another major incident occurred in 2009 when community based non-profit medical centers were targeted by cyber criminals who wanted state of the art electronic heating and air conditioning systems with computerized dashboard controls. The hackers used spear phishing (a method where they gather personal information to make their attacks appear legitimate) via email, phone calls and even visits to close deals for brand new equipment worth thousands of dollars. They paid only a fraction of what the equipment was worth but walked away with it nonetheless, then hacked the software controlling the temperature settings inside patient rooms so that it remained very cold or very hot throughout the night, causing several incidents of patients awakening in extreme pain due to sudden drops in temperature down into the 30’s without warning.
These are just a few examples of major cyber security incidents at healthcare facilities that could have been prevented with simple security precautions, such as regular network segmentation and using strong passwords. It is not known how many patients have had their personal information stolen from these breaches but the FBI estimates that 1 in 5 medical records contains some form of personally identifiable information. This includes patient’s first and last name, date of birth, mother’s maiden name, Social Security number, etc.
This article highlighted examples of a vulnerable community clinic failing to recognize the importance of security measures such as segmenting the network for remote users connected to it through a Virtual Private Network (VPN). It is vital for all businesses whether large or small including those that provide some form of direct patient care services to maintain an extremely high level of vigilance on new network security protocols and procedures at all times.