Tech

Why Healthcare Should Be Worried About the Target Cyber Attacks

If you are a CEO or COO of a health care organization, and your IT people have been trying to get your attention, it’s time to have a serious sit-down with them.

If they haven’t been trying to get your attention, it’s time to have an more serious sit-down with them, complete with charts and graphs and arrows on fip charts.

Here’s why: Remember in November it was revealed that the Target retail chain’s computer systems were compromised? Some 70 million names, home addresses and phone numbers were stolen (pretty good raw material for identity theft) and 40 million credit card numbers.

It has turned out since then that some two dozen other companies, including Neiman-Marcus, the Michael’s arts-and-crafts chain and the White Lodging Services hotel management firm, have been hacked in similar ways, with the attackers software sitting in the companies’ servers, credit card machines and cash registers often for months before they were detected, sucking down every transaction, every bit of data moved about.

Hey wait, you say, I have every confidence in our computer security. Why we passed a security audit just recently.

Heh. So did Target — just before they discovered the break-in. They got a clean bill of health, and the auditors failed to find the malware installed on every server, every credit card terminal, every cash register.

Why? Because the attackers have gotten way more sophisticated, and they used new techniques and methods of entry. You can now buy ready-made hacking software designed to do this on the Internet for less than $1000.

Here’s the kicker: Target has security guards at the doors, it has those beeper tags on small high-value items so you can’t sneak them out without paying for them, it has burglar alarms — but the perps in the biggest heist in the company’s history entered through the thermostat.

Got that? The thermostat.

Big-box stores have pretty sophisticated HVAC. Hospitals have much more sophisticated HVAC systems. Big-box stores typically outsource the management of such systems to outside firms. Most hospitals do the same. The outside contractor monitors and controls the HVAC over the Internet.

All the sensors, thermostats, switches, control valves and such report to software on the store’s servers. To allow this, the outside contractor is given password-controlled access to the store’s computer system.

How many of your systems, such as HVAC, water/sewage, security, and so on, are connected to the Internet, so that they can be remotely monitored? If you’re doing it right, there are a lot of them, and many are outsourced. Think about that, then read these two paragraphs from a New York Times article the other day:

“Remote access to these systems is really common and integrators are almost always on the corporate network,” said Billy Rios, director of threat intelligence at Qualys, a cloud security firm. Mr. Rios said that the security at such companies tended to be poor and that vendors often used the same password across multiple customers.

Over the last two years, Mr. Rios and Terry McCorkle, also of Qualys, said that they found 55,000 HVAC systems connected to the Internet. In most cases, they said, the systems contained basic security flaws that would allow hackers a way into companies’ corporate networks, or the companies installing and monitoring these systems reused the same remote access passwords across multiple clients.

—     Nicole Perlroth, “Heat System Called Door to Target for Hackers,” NY Times, Feb. 5, 2014

If that didn’t make your blood feel like it’s been run through a chiller, it ought to. How certain are you that your patient and payment information is separated by an impenetrable wall from your plant-monitoring information? What about your system makes it invulnerable to this style of attack? How is the data in your system encrypted against anyone who might penetrate the firewall?

Hey wait, you say, we’re not a high-value target. We don’t have millions of credit card numbers. And why would anyone want to steal millions of health plan account numbers? Or even millions of medical histories?

Maybe you’re right. But think about this: We are in the middle of a massive move not only to computerize the entire patent experience, but to pull together all the different pieces into comprehensive records that include enormous amounts of personal information, from address and credit card information to sexual health, addiction and other embarrassing private stuff.

Keep in mind that the ACA and other recent changes will greatly ramp up the amount of substance abuse and other behavioral health issues that are covered as part of the mainstream record.

Now picture a black hat advertising on hacking forums: “We can get you the medical records of anyone — any celebrity, wealthy person, or blackmail target.” And they can say that because they have penetrated the nets of information that flow between hospitals and payers, as well as the internal systems of hospitals and clinics.

But it’s even more important than that. Health systems, clinics, and hospitals depend on their customers having a feeling of trust and safety in bringing their problems and medical details to you. If people feel that you’re a sieve, they will take their problems elsewhere. You seriously do not want your institution named in a headline about a data breach.

So CEOs, COOs: Time for a good long detailed talk with your IT people.

With nearly 30 years’ experience, Joe Flower has emerged as a premier observer on the deep forces changing healthcare in the United States and around the world. As a healthcare speaker, writer, and consultant, he has explored the future of healthcare with clients ranging from the World Health Organization, the Global Business Network, and the U.K. National Health Service, to the majority of state hospital associations in the U.S.

You can find more of Joe’s work at his website, imaginewhatif.

Livongo’s Post Ad Banner 728*90

38
Leave a Reply

27 Comment threads
11 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
17 Comment authors
KeithChuck KarishBobbyGGranpappy YokumMerle Bushkin Recent comment authors
newest oldest most voted
Keith
Member

I think that it’s best to regularly monitor any healthcare systems as much as they could in order to detect and apply security measures at the incidents of attack/s.

Even the outsourcing industries are applying extra security features to tighten up their systems. We just have to be very careful of choosing the most trusted and reliable provider.

Chuck Karish
Guest
Chuck Karish

The Target war story was worse than you describe. Target did have intrusion detection software in place. It did sound alarms. Nobody responded to the alarms. No remedial action was taken and no emergency protective changes were put into place for more than a week after outsiders pointed out to Target that they had been hacked.

Joe Flower
Guest

Hey, Chuck! Wow, really? That’s amazing. Really makes you wonder about the dynamics in the management of security there.

Merle Bushkin
Guest

You’re welcome. Thanks for your interest and thoughtful comments. I suspect that I have a different set of priorities than many of the healthcare cognoscenti. I’d like to at least be able to crawl a little before I try to run a three minute mile! My primary concern today focuses on the relationship between patient and provider. This the low hanging fruit. And what we have spelled out today, is just a start. It will serve as a base from which we can do things that today are unimaginable. Today, I want to help providers improve the quality of care… Read more »

Joe Flower
Guest

Ah! That is indeed much more comprehensive and compatible with the workflow than I imagined — since your initial post was arguing against using health information exchanges. Your system sounds like an excellent one if used in parallel — and it is not an argument for not using health information exchanges. Thanks for the clarification.

Merle Bushkin
Guest

Joe and Bobby, Let me clarify two points. First, if you’ll visit the FAQs section of our website, you’ll understand that the scope of our MedKaz system is far broader than you envision. There is nothing like it, so I appreciate you have no frame of reference. (I apologize in advance to any readers offended by specifics about the MedKaz System but I don’t know any way to correct misunderstandings without getting into specifics.) Most importantly, while MedKaz is patient-centric and gives the patient a copy of all his/her records from all his/her providers, it does NOT replace provider paper… Read more »

Joe Flower
Guest

It not only glosses over the clinician’s workflow reality, if it were used by most patients. it would drop out of current and future workflow reality any possibility of tracking patients when they are not present, of for instance calling all your diabetes patients periodically, making sure that they are on track and offering help to adjust their medications or a talk with a nutritionist. If you are imagining that the clinician or the clinician’s office or the system they work for is keeping track of all that stuff (including when the person was last in, what their A1c number… Read more »

BobbyG
Guest
BobbyG

“Giving the patient their records so they move with the patient (rather than “follow” the patient as Dr.Mostashari likes to say), doesn’t replace the PCP or the other healthcare resources. It merely ensures that any provider treating the patient has access to the patient’s complete record and, thereby, can avoid mistakes, unnecessary tests, etc. It especially benefits the chronically ill patient who goes from doctor to doctor or hospital to hospital for care.”
__

A noble sentiment. One that glosses over clinicians’ workflow reality.

Merle Bushkin
Guest

Joe, I apologize for not describing our system in detail in these comments but I don’t want to come across as “selling” our system (to learn more about it, visit our website). I’m merely trying to say here that there is at least one viable alternative to the approach we as a country are taking to achieve better, coordinated, lower cost care — and that we should be open to considering it and any other innovative approaches. The stakes are simply too high to ignore systems that work, especially if they work today and form a basis for even greater… Read more »

Joe Flower
Guest

…You can do that/You can’t do that…

Joe Flower
Guest

That does sound a lot better. So your interface makes it far more than a stack of searchable PDFs? That’s great. But it still does not solve the problem of care coordination and how to manage the health of populations. Your solution sounds like it works great as long as the patient himself (or the patient’s family or caregivers) serve as the care coordinators. The solution assumes patients who have the energy, the education, and the focus to take charge of their own health and drive all the questions forward without any help. You may like that image, you may… Read more »

Merle Bushkin
Guest

Bobby and Joe, Our experience has been that docs are suspicious of patients bearing records, but when they need information, they’re delighted to find it so readily available — and they use it. In my own case, I recently had a followup visit with an ophthalmologist where having his complete progress notes on my MedKaz avoided a second visit. After waiting four months and having my pupils dilated, the doc said he’d have to reschedule my appointment because his EMR system was down. When I showed him his progress notes on my MedKaz, he expressed great delight, examined my eyes,… Read more »

Joe Flower
Guest

I am happy to hear your company is providing an alternative, Merle. It would seem to be only a partial answer to the problem, though. Bobby actually points out one of the main problems: Doctors are busy and think of themselves as busy. To be used effectively, any record system has to be part of their normal workflow, formatted in ways that they are used to, searchable in ways that are normal to them in their everyday work. No .pdf is searchable in ways that are common in good EHRs. For instance, it cannot create a time series out of… Read more »

Merle Bushkin
Guest

Joe, I agree completely that patients should be able to choose their care providers and that their records should be available to any care provider who treats them. But I completely disagree with your conclusion that “There is simply no practical way of achieving those two goals without some kind of digital health information exchange.” The truth is HIEs have almost insurmountable problems and don’t work beyond small networks. At the risk of being censored or having these comments deleted by THCB’s editors, I will tell you that there is a very simple, practical way to not only accomplish what… Read more »

Bobby Gladd
Guest

“At the risk of being censored or having these comments deleted by THCB’s editors…”
___

Oh, pul-eeeze. The only thing they censor here is my REC Blog link.
__

“aggregates the patient’s complete record, both paper and electronic, from all their providers on a MedKaz Green Drive which the patient owns and carries in their wallet, on their key chain, or wears. ”

Well, I carry my full progress notes from my former Primary on a USB drive, in editable .rtf format. My new docs don’t seem interested in downloading and viewing them.

Adrian Gropper MD
Guest

Joe, 1) and 2) are worthy endeavors and require health information sharing with patient consent, data minimization and transparency. These are the core of what’s known as Fair Information Practice. Today’s HIE designs are coercive (they’re designed as an involuntary surveillance mechanism) and hidden (the patient is not notified when their health data is accessed or shared). Data minimization is limited to the strict requirements of federal law rather than what the patient or reasonable physicians would do routinely (how much of your child’s health record do you want in her permanent file forever?). In 2014, it’s not unreasonable for… Read more »

Merle Bushkin
Guest

Isn’t it ironic? The need for data security in single organizations is enormous, as pointed out so clearly in this post. Yet in healthcare we continue down the path to link multiple individual organizations via HIEs — thereby opening the door for hackers to breach multiple organizations in one fell swoop!

On second thought, maybe the fact that we have not found a way to link everyone in a nationwide HIE is a gigantic blessing in disguise!

Joe Flower
Guest

It is fair to say that there is a consensus among pretty much everyone who is trying to reform health care that two of the many goals are: 1) People must have some choice in their providers. There is little or no support for any system that simply mandates where people will get care. 2) We must improve continuity of care,not only for highly significant cost savings, but for better care, for saving the life and decreasing the suffering of the patient. There is simply no practical way of achieving those two goals without some kind of digital health information… Read more »

Granpappy Yokum
Guest
Granpappy Yokum

“there is a consensus among pretty much everyone who is trying to reform health care that two of the many goals are:
1) People must have some choice in their providers. There is little or no support for any system that simply mandates where people will get care.
2) We must improve continuity of care,not only for highly significant cost savings, but for better care, for saving the life and decreasing the suffering of the patient”

???????

Those are are running the show (CMS, large insurers, hospital mega-corps) are aggressively working to prevent those two goals.