Perhaps it comes as no surprise that most—if not all—industries are susceptible to data breaches… even healthcare. Just last month, Anthem Inc became the target of a breach that compromised the personally identifiable information of 80 million people. And last month, Premera Blue Cross announced it was a victim of a breach that not only gave hackers access to personally identifiable information, but to medical records as well.
It’s no longer a secret that the healthcare industry is a lucrative target for cybercrime; so lucrative, in fact, that patient data is worth about $50 per record on the black market, while credit card data sells for $1. Back in 2012, the Washington Post found that the healthcare industry was one of the most vulnerable industries to cybersecurity issues, especially due to their lag in security measures. Today, the issue remains.
The simple truth to a complicated problem is that patient data is not encrypted. Data security has often ranked low on the priority scale for healthcare providers. Organizations struggle to meet HIPAA compliance deadlines and too often they aim to reach minimum security requirements rather than taking a comprehensive approach. Putting protocols in place to encrypt data can be seen as slowing productivity – and potentially affecting a company’s bottom line.
And to complicate the matter even further – consider the rise in the use of healthcare devices which are chock full of valuable data. We wear fitness trackers that monitor everything from our pulse to our sleep activity, our medical devices are becoming increasingly wireless and connective, and the recent implementation of federal rules that require the adoption of electronic medical records means the healthcare industry, and medical devices in particular, are subject to a host of threats.
The issue starts when medical devices become more connected. Some devices allow data to be transferred in and out of the device, and some send information directly to hospital servers or health apps. With this transfer of data comes the risk of it being intercepted. We see the same threat with fitness trackers. Several of these devices transmit data over Bluetooth or store data in the cloud, which means the data can be easily intercepted if not encrypted. And fitness trackers aren’t just a threat to our personal security…businesses with bring your own device policies are at risk as well. Employees who sync their fitness trackers to personal phones that are connected to the organization’s network run the risk of connecting hackers to the network too.
But unfortunately, the threat goes beyond intercepting data and breaching networks. Implanted medical devices (IMDs) have become incredibly common and many are now equipped with wireless technology that sends information to the controller station. This means IMDs can be susceptible to tampering. Researchers have already demonstrated this reality: they’ve hacked pacemakers and defibrillators to give intense shocks and compromised insulin pumps to make them deliver insulin overdoses. The results can be deadly.
It may sound like an episode of “Homeland”, but these scenarios are actually potential risks in everyday life. In fact, in October of 2014, the US Department of Homeland Security launched an investigation into medical devices and hospital equipment suspected to have cybersecurity flaws. While the threat shouldn’t be overstated (there were no episodes of malicious hacking), officials did fear these devices could be accessed remotely and manipulated.
How many healthcare companies need to be hacked before cybersecurity becomes a necessity? Will we let the worst happen before we start mandating that medical devices be manufactured with strict security measures?
Medical devices need to be secure, just like our data. At Bluefin, we believe in taking a preventative approach to cybersecurity, not reactive. That’s why we offer point-to-point encryption for the healthcare industry and are working towards using our technology to encrypt data sources outside of payments, such as medical data. Let’s not wait for the worst before we implement better security measures.
Visit us next week at the HIMSS show in Chicago, Booth #8745, to learn more about our security technologies.