Health informatics is one of the hottest areas of health care. But the fact that it forms the junction of health care and information technology makes it an attractive target for cybercriminals. They have proven adept at infiltrating health care institutions using a variety of tactics.
The U.S. Department of Health and Human Services Office of Civil Rights, for example, provides a Breach Portal with some startling statistics.1 The portal shows that data about more than 120 million people have been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009.
The reason attacks can successfully skip past the various layers of health care security technology in place is that cybercrime has evolved to encompass many different attack vectors. For many years, web-based threats posed the most danger to organizations. But according to Osterman Research surveys2, email is now the top avenue of infiltration into organizations, with social media becoming the fastest-growing sector of concern within cybersecurity.
Health informatics professionals dealing with the security of patient information, therefore, may find that existing defenses are aligned more with web-based threats while the email channel is relatively poorly protected – hence the rise of phishing in its various forms as the bane of the health care security world.
Phishing emails are sent to large numbers of users simultaneously and attempt to “fish” sensitive information from unsuspecting users by posing as reputable sources. In health care, the ploy is to trick the user into either clicking on a link to infect the PC, open an infected attachment, or go to a fake health care website to enter login credentials, financial information, social security data, or credit card details. According to the Verizon 2016 Data Breach Investigations Report3, 30% of recipients open phishing messages. Another 12% click on attachments.
Spearphishing is a targeted form of phishing aimed at specific individuals or a small group. The instigator has studied the health care provider, gathered information from social media sites, and is determined to con a hospital administrator or clerk into handing over the keys to the kingdom. With data such as travel plans, family details, employment history, and various medical affiliations being on public view in Facebook, Twitter, or LinkedIn, emails that seem to be legitimate often successfully fool users into compromising the network.
A watering hole is a place you tend to visit frequently and which is trusted. This might be a regularly used website, a partner’s portal, or a vendor marketplace. By compromising that location, the bad guys seek to piggyback one’s access into the corporate network.
Cybercriminals have gotten clever about registering website URLs similar to legitimate health-care sites4. Healthcare.gov, for example, has Healthcare.com, Healthcare.org, Healthcare.net, Health-Care.org, and Obamacare.com piggybacking off its good name, with many of these sites looking for personal information.
Medical Device Insecurity:
As medical systems and devices adopt more wireless and web-based technologies, the risk of exposure to malware magnifies. This is so much the case that the Food and Drug Administration issued an alert about cybersecurity to manufacturers of medical devices, and hospitals with regard to their networks.5 In essence, embedded computer systems inside medical devices can be compromised or even used to infiltrate health care security networks and databases. Hospital networks may are vulnerable because of unauthorized access, and out of date antivirus software and firewalls.
Perhaps the most dangerous threat to the health care industry is ransomware . Instead of merely infecting systems with nuisance ads or spam, such an attack shuts down a desktop, a server, or an entire network. The most famous strain is the Cryptolocker malware and its numerous variants, which encrypt files and demand a ransom in order to receive the key to decrypt the files.
Improving Healthcare Security
As a result of threats such as these, the discipline of health informatics demands a deep understanding of cybersecurity. In addition to data analytics, mobile health, population health, and mobile health apps, The University of Scranton Online Master of Science in Health Informatics program gives graduates a grounding in health-care security. This includes how to combat web-borne threats, how to detect network incursions as soon as they occur, how to isolate suspicious behavior and detect malware that has found its way past the firewalls, and how to develop strategies to defend against phishing, and more. Armed with these skills, those graduating from the program are going to be a sought-after commodity in the job market. For more information, visit the program’s website.
- The U.S. Department of Health and Human Services Office of Civil Rights. (n.d.). Breach portal. Retrieved from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- Cimpanu, C. (2016). One in five companies gets malware infections via social media. Retrieved from http://news.softpedia.com/news/one-in-five-companies-get-malware-infections-via-social-media-502603.shtml
- Verizon. (2016). Verizon 2016 Data breach investigations report, Retrieved from http://www.verizonenterprise.com/verizon-insights-lab/dbir/
- Ristau, V. (2013). Technically speaking, health informatics cybersecurity/Main categories of risk. Retrieved from http://blogs.dlt.com/health-informatics-cybersecurity-main-categories-risk/
- Food and Drug Administration. (2013). FDA Safety Communications: Cybersecurity for medical devices and hospital Networks Retrieved from http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm
KnowBe4. (2016). White Paper: How to transform employee worst practices into best practices. https://info.knowbe4.com/whitepaper-employee-worst-best-practices-enterprise-security