Many medical companies don’t update software as often as they should. In the case of EMRs, this could lead to negative consequences.
Doctors had a lot of handwritten paperwork to do before digitization. Now, they spend a lot of time interacting with software.
Proprietary vendors have an incentive to lock-in users and make switching expensive. This leads to problems with security.
1. Malware Infections
As medical devices have become more sophisticated and interconnected, they’ve also become susceptible to malware infections, affecting automated scheduling systems. Hackers can gain access to a device’s operating system and encrypt the data files that run it, which in turn demands payment for a key to decrypt them.
As a result, hospitals are increasingly finding themselves victim to ransomware attacks. The researchers behind a recent study found that ransomware-related data breaches at health care delivery organizations increased by nearly 45% from 2016 to 2021. In addition, hospitals infected with ransomware experienced operational disruptions, such as the rerouting of ambulances and cancelled appointments. These disruptions can have serious consequences for patients, particularly in emergencies.
The authors of the study found that a single ransomware attack can cause “tens of millions of pounds in lost revenue.” In addition, hospitals directly affected by ransomware had fewer admissions and attendances, with 4% fewer emergency admissions and 9% fewer elective admissions. This could be due to a combination of factors, including a lack of staff, an inability to treat patients due to electronic systems being out of commission, and the fact that many infected hospitals failed to install a software patch that Microsoft had released two months earlier.
While these kinds of attacks can affect every sector of the economy, they hit health care particularly hard. For example, in the case of the UVM Medical Center ransomware attack mentioned above, hospital staff were unable to use their EHRs and payroll systems; cancer patients had to reschedule radiation treatment; and it took IT workers weeks working 24/7 to scrub their network and restore thousands of computers.
2. Social Engineering
Healthcare software can streamline administrative tasks for medical professionals. But it also introduces security risks.
Many hacks occur through social engineering—attackers who trick victims into divulging sensitive information under a false pretext. Usually, the attacker will play on a victim’s fears or emotions. For example, a cybercriminal may pretend to be an executive demanding money from the target, in order to instill a sense of urgency and manipulate them into sharing passwords or other confidential data.
In some cases, social engineering attacks can bypass security systems altogether. For instance, if a healthcare employee clicks on a malicious link in an email or SMS (text messaging) attack, malware can hijack their device and encrypt or steal thousands of pages of medical records in seconds. While phishing remains the leading cause of data breaches, social engineering can also lead to ransomware attacks.
Since PHI primarily lives digitally, a ransomware attack can compromise the entire system, leaving doctors and nurses without access to patient records or other necessary information. The resulting chaos and delay can seriously affect treatment for patients.
Fortunately, healthcare software is getting better at protecting against social engineering. In addition to requiring a high level of authentication, such as a two-factor authentication, it is also incorporating behavioral analytics and artificial intelligence into its interfaces. For example, some systems will warn users when they are about to click on a suspicious URL, or provide a screenshot of the website to help identify and stop threats.
3. Hacking
As the cyberattack on the company that processes a large chunk of America’s medical claims shows, hospitals aren’t immune to the kind of digital mayhem caused by hackers. Patients have been unable to fill prescriptions or get their medical records and doctors are scrambling to find ways to cope. One of the big issues is pharmacies, which haven’t been able to process refills for some patients. That could mean they can’t pay for their drugs with a credit card or use their pharmacy discount coupons. And patients who’ve been waiting to see a doctor are likely to be delayed even longer.
Hospitals also struggle to deal with other kinds of hacking. They’re constantly under attack from ruthless gangs who target them for ransomware, which locks up computer systems. These extortion attempts usually ask hospitals to pay a ransom, which they typically do in untraceable digital currencies like Bitcoin, so they can access their data and keep their operations running. The FBI recommends against paying ransoms, but savvy hospital administrators understand that if they don’t cough up the cash, it could be weeks or months before their systems are back up and running.
The good news is that hospital IT specialists are working hard to beef up security. And, as they do, they’re finding new ways to help protect patient information. One technique is to do what’s called “red team testing,” in which they send a team of cybersecurity experts to act as attackers and try to break into their system.
Another way to improve security is to stop hospitals from asking patients to provide their Social Security number on patient intake forms. Instead, make that field optional and push back if the patient doesn’t want to share that information.
4. Data Exfiltration
As healthcare organisations embrace innovative medical equipment and technologies, such as augmented reality and robots, they must also ensure that these systems and devices are secure. Unfortunately, these technologies are often vulnerable to both external and internal security threats. Once attackers gain a foothold on an organization’s network, they can exfiltrate data and steal proprietary information that is essential to their business model.
Data exfiltration refers to the unauthorized transfer of sensitive information or proprietary data from a computer or other device. Attackers can use malware, social engineering and other methods to exfiltrate data. They can also use remote access to gain control over servers, devices or cloud storage platforms and exfiltrate data from those locations.
Almost every organization has some form of data exfiltration, either from an external bad actor or careless insiders. In many cases, the exfiltration is made possible by a phishing attack that infects an employee’s workstation with malware or a fake login page. Over 124 billion emails are sent and received each day, making it easy for attackers to spread infection.
A disgruntled employee may expose internal data for financial gains or to address a perceived slight. Additionally, hackers can exfiltrate data from an organization by exploiting software vulnerabilities and leveraging their credentials to remain undetected in the system.
The health sector must invest in a people-centric approach to security and deploy a dynamic defense that can protect against all types of threats, including malware and hacking. They need to develop strong access control and visibility of their networks, systems and applications to prevent attackers from stealing valuable information and holding it hostage for ransom. This is essential for maintaining business continuity and complying with regulations that have stringent penalties.
5. Identity Theft
Medical identity theft can be a serious issue, not just for victims but also for healthcare organizations. When a patient’s information is stolen, it can cause issues with their credit and lead to inaccurate records. It can also cost insurance companies or providers more money, which could raise premiums for everyone.
Like other forms of identity theft, healthcare identity fraud involves a thief using their victim’s information to obtain health care services, medication, or equipment. The most common method of doing this is through phishing, where the thief poses as a legitimate source and attempts to get their victim’s information by impersonating them. This can be done via email, text messages, or phone calls.
It’s also possible for a victim to have their medical identity stolen by an insider, such as a doctor’s office employee or hospital staff member. These types of cases are more common than you might think, and they can lead to a variety of problems for the victim. For example, the thief could use the victim’s Social Security number to gain access to their medical records and file fraudulent claims with Medicare or their insurer.
Despite the growing problem of healthcare identity theft, there are few resources available to help people report it. Many healthcare organizations do not have specific policies in place to prevent it, and they may not know how to detect it if it occurs. Moreover, the organizations involved in medical identity theft are often subject to HIPAA compliance violations, which carry hefty penalties and can even close businesses. For this reason, it’s important for software developers to make sure their programs are integrated well with healthcare systems.