I've been in Healthcare IT for a decade and a half or so, and I think there's definitely a reckoning coming with regard to the lapses in security.
I think honestly, the only thing that's kept this from being a problem with greater consequence is that to date it hasn't been clear that there's a real path to monetization of health data. It's been a lot more profitable to chase down credit card #'s and mass email/password combinations that lead to banking access.
I've long wondered when a solid monetization strategy for health data would show up and we'd see a quick rush to target these datasets. Trends that I see that make me think we're getting closer:
1. Systems are increasingly net-connected, obviously. In some ways it's increasing security (literally most hospitals I've been in you could plug into any ethernet port in the building and be on a network where pretty sensitive data is sent in the clear), but it's making these systems available to a larger number of interested attackers
2. Patients have accounts now. Health data is suddenly a not-insignificant source of email/password combinations for patients (previously just employees). Pretty reasonable to expect that health systems may be the source of future Gawker-style breaches for collecting poorly protected user credentials that can be used elsewhere.
3. The uptick and cost-effectiveness of encryption-ransomware, personal and corporate. It's been interesting to see cases where the data itself isn't monitezed because it has some broad market value, but solely by threatening the owners with it's release or exposure. I won't be surprised if Healthcare organizations or individual patients find themselves victims of extortion either by threatening to publish sensitive health data, or to destroy it.
There is (finally) an extra-linear increase in attention to this issue in Health IT, but there's also quite a large backlog of debt and an enormous number of systems deployed that were built for a different reality than current exists.
What bothers me is that I was under the impression that if you have a HIPAA compliant information system (software or hardware) that none of these criticisms would be true, yet we know that this is essentially the norm and that healthcare providers routinely ignore the problem. What's going on such that hospitals have the worst of both worlds - expensive devices subject to incredible amounts of regulation to safeguard patients but demonstrably insecure systems? I'd hate to think of what would happen if we had no regulations whatsoever, but on the other hand the current effective infosec status of the healthcare industry seems to be not very far off from as if they had no regulations.
Did I miss something in HIPAA about "don't make it easy as hell for any random person to come in and steal patient data or command other HIPAA compliant systems to act as an agent?"
> What bothers me is that I was under the impression that if you have a HIPAA compliant information system
The idea of a "HIPAA compliant information system" is largely empty marketing speak (less so in terms of the Transactions and Code Sets rule than the Privacy and Security rules); HIPAA and its implementing regulations do not establish specific standards for information systems (in privacy/security terms), it sets specific standards for what organizations holding PHI must do, and most of the technical features of software related to those functions are unspecified and, to the extent that there are requirements, whether the software as used is compliant will be highly dependent on the relation between the policies, specific functions performed by the organization, and how the software is used.
At most, software has features which facilitate compliance with some parts of HIPAA, but you can't just drop in a piece of software and achieve turnkey HIPAA compliance.
I think (right now) there isn't a way to really mass-target people illegally if you have their medical data. Blackmail requires some non-zero amount of effort per user.
Compare this to getting a password dump from a social networking site and trying those emails/passwords in an automated way against sites like paypal/gmail/banks etc.
EDIT: from the article
"TrapX also found a bug called Citadel, ransomware that’s designed to restrict a user’s access to his or her own files, which allows hackers to demand payment to restore that access"
> I think (right now) there isn't a way to really mass-target people illegally if you have their medical data. Blackmail requires some non-zero amount of effort per user.
I'm saying that's not really true anymore. These systems have patient email addresses and their medical histories. It's doesn't seem to me a big leap to automate ransomware. Hell, there's plenty of encryption-based ransomware schemes active right now and they involve needing access to the target's local PC. This doesn't even require that. One massive healthcare breach and anyone who can pull it down on bit-torrent can start going to town extorting.
I think it's something that's been a practical possibility for a couple-few years now. Just hasn't happened yet.
>I think honestly, the only thing that's kept this from being a problem with greater consequence is that to date it hasn't been clear that there's a real path to monetization of health data. It's been a lot more profitable to chase down credit card #'s and mass email/password combinations that lead to banking access.
Stealing CC#s is easier, but pretty much everything you'd need to engage in wholesale identity theft is provided in your average ADT transaction.
I think honestly, the only thing that's kept this from being a problem with greater consequence is that to date it hasn't been clear that there's a real path to monetization of health data. It's been a lot more profitable to chase down credit card #'s and mass email/password combinations that lead to banking access.
I've long wondered when a solid monetization strategy for health data would show up and we'd see a quick rush to target these datasets. Trends that I see that make me think we're getting closer:
1. Systems are increasingly net-connected, obviously. In some ways it's increasing security (literally most hospitals I've been in you could plug into any ethernet port in the building and be on a network where pretty sensitive data is sent in the clear), but it's making these systems available to a larger number of interested attackers
2. Patients have accounts now. Health data is suddenly a not-insignificant source of email/password combinations for patients (previously just employees). Pretty reasonable to expect that health systems may be the source of future Gawker-style breaches for collecting poorly protected user credentials that can be used elsewhere.
3. The uptick and cost-effectiveness of encryption-ransomware, personal and corporate. It's been interesting to see cases where the data itself isn't monitezed because it has some broad market value, but solely by threatening the owners with it's release or exposure. I won't be surprised if Healthcare organizations or individual patients find themselves victims of extortion either by threatening to publish sensitive health data, or to destroy it.
There is (finally) an extra-linear increase in attention to this issue in Health IT, but there's also quite a large backlog of debt and an enormous number of systems deployed that were built for a different reality than current exists.