English
Thieves May Use Heartbleed to Attack Hospitals
Posted on Apr 17, 2014 by Ailee Slater (G+)
This month, the health care industry is less concerned about heads, hearts and kidneys and more focused on servers, data encryption and electronic networks – like everyone else, the health industry is worried about Heartbleed.
Heartbleed is a bug in the encryption system used to keep many parts of the internet secure. When you type in a password or submit confidential financial details, SSL encryption ensures that no one can find that information, no matter how hard they look. Heartbleed, however, allows internet users to read the memory of certain sites and find that private information – meaning that this bug could lead to identity theft, credit card fraud and more.
In the health care industry, advocates worry that Heartbleed has the potential to cause a major breach in data security. The Heartbleeed bug could compromise sensitive medical data, expose patients’ billings addresses and health history, and even affect the functioning of in-hospital and at-home health technology such as MRI scanners, heart rate monitors and automatic insulin pumps. And even if Heartbleed doesn’t lead to medical security breaches, industry experts still fear that the threat alone of Heartbleed could damage patients’ trust in electronic records, and affect the economic potential of businesses that deal in health care IT.
In an interview with Healthcare IT News, Phil Lerner – Beth Israel Deaconess Medical Center’s chief information security officer – said that tackling Heartbleed should be a major priority for the health care industry. Lerner said that hospitals need to identify servers that might be vulnerable to hacking, and that communication between different parts of the organization will be key in keeping the entire IT system secure.
Unfortunately, the process of securing servers and electronic data may prove time consuming – an unfortunate fact for hospitals that lack the personnel or funds to spend weeks or even months experimenting with different fixes to the Heartbleed bug, and testing each fix to make sure it works. Global director of medical security at Codenomicon, Mike Ahmadi has commented that in the health care industry, there will be no quick fixes to Heartbleed – it’s an industry that relies on myriad connections between myriad systems (the billing department, outpatient physical therapy and the surgical unit, for example), and any bug-fix must be tested to assure that no further problems have been created in any part of the whole. Ahmadi also mentioned the difficulty of testing and repairing IT systems that are responsible for relaying real-time information to different people across the organization – if a Heartbleed bug fix accidentally creates another problem with a hospital’s technology, even if that problem only lasts a few minutes, lives could be lost.
According to the Advisory Board Company, a global firm that specializes in health care and higher education research and technology, the Heartbleed bug isn’t the first time that hospitals have feared unintentional disclosure of patient medical records. In 2012, the Advisory Board Company reported that since 2009 around 21 million people had been affected by security breaches in health care data systems. These breaches included the stealing of medical information, loss of records, and unauthorized disclosure of data. Evidence indicates that similar breaches may have occurred before 2009, however in was in September 2009 that new health care privacy protection laws mandated that health care organizations publicly report any breaches of patient data.
Unfortunately for patients, their health care information is extremely lucrative for technology thieves: the Advisory Board Company reports that whereas a hacker can sell credit card information or a social security number for less than US$4, electronic medical records are worth closer to US$50. With a patient’s health care information, an identity thief can make a false insurance claim, purchase prescription drugs or send medical bills to the patient’s insurance account. Being the victim of medical records theft could lead to financial complications and even bankruptcy, and unlike a credit card, electronic health records cannot simply be canceled.
Despite nervous patients and health care administrators, there has been no reported data theft due to Heartbleed. The United States Centers for Medicare and Medicaid Services have reported that the federal health care exchange website (healthcare.gov) has not been affected by any security breaches, and that online Medicare patient information is likewise safe. The U.S. Homeland Security Department has said that although healthcare.gov and other federal databases do use technology systems that are susceptible to Heartbleed, the bug is not a threat – although further information as to how the government has secured itself from data breaches has not been revealed. And not everyone in the technology security industry is convinced that online information at healthcare.gov and other sites is as secure as Homeland Security claims. One member of the National Cyber Security Partnership told the news website NextGov that transfer of personal information through the healthcare.gov servers could put patient data at risk.
Professionals within the medical IT industry also remain concerned: digitizing hospital records and everyday functions has been a drawn-out process, and the fear of security breaches could slow down this health technology modernization even more. Many hospitals in the United States and other developed nations are still using paper records, meaning that instantaneous access to patient information (such as allergies and surgical history) is impossible, and sharing these records between different health care organizations or even different sectors within the same hospital is difficult. In 2009 President Obama passed the HITEC act, a law that provides a financial incentive for hospitals to adopt electronic records and other forms of health technology. Since then, the United States has seen a definite acceleration in the adoption of medical IT: hopefully, Heartbleed will not diminish those gains.
Because Heartbleed affects servers used across the globe, health IT systems worldwide could be at risk of breaches and burglaries. The international market for medical electronic systems has been growing at an unprecedented rate during the past decade, with developing countries making up a large proportion of new health IT customers. The potential of integrated medical technology is huge: patient records can be shared between departments and hospitals, reducing over-treatment or inappropriate care; electronic data can help communities and countries to identify pandemic risks; and digitized prescriptions can reduce fatal medical errors. No small wonder that right now, the health care industry is working hard to ensure that Heartbleed won’t compromise the promising potential of new medical technology.