Safe & Sound with Marianne Kolbasuk McGee

Cyber Wake-Up Calls for Health Sector Hacker Incidents Point to Need for More Information Sharing

The healthcare industry has had several loud wake-up calls so far this year, providing an alarm that the sector is not immune to the kinds of hacker attacks that have been more commonly associated with banks and retailers.

See Also: Ransomware: The Look at Future Trends

The most recent was a breach at Community Health Systems, which the hospital chain says involved Chinese hackers who used "highly sophisticated malware" to gain access to information on 4.5 million patients.

Regulators, law enforcement officials and others need to better collaborate to make sure timely alerts of cyber-threats - and guidance for response - are issued. 

TrustedSec, an information security consulting service, has said hackers who attacked CHS apparently took advantage of the Heartbleed flaw.

In June, Montana state officials confirmed that 1.3 million people were being notified of a breach at the state's Department of Public Health and Human Services. The state says hackers gained access to a public health department server containing client information.

And back in April, a distributed-denial-of-service attack against Boston Children's Hospital also put a spotlight on another often-overlooked threat.

What these incidents show is that the risk of hacker attacks in the healthcare sector is real. So healthcare organizations need to take their heads out of the sand and be prepared to defend against these threats, mitigate the risks and respond to the assaults.

Plus, regulators, law enforcement officials and others need to better collaborate to make sure timely alerts of cyber-threats - and guidance for response - are issued.

In the Community Health Systems incident, the healthcare community wasn't alerted about the malware threat until news reports came out about the hospital chain's disclosures in an 8K filing with the Securities and Exchange Commission. And the FBI was criticized for not issuing an alert to the healthcare sector until after that SEC disclosure.

Time for Vigilance

In the aftermath of these high-profile breaches, and many others, the healthcare sector needs to be on high alert. Clearly, cybercriminals and hacktivists are interested in stealing data or disrupting healthcare organizations operations.

And let's face it, as a result of the HITECH Act's financial incentive program for the adoption of electronic health records, there's been a transformation over the last five years, with tons of newly digitized patient data ripe for picking by cyberthieves if it's not properly protected.

Healthcare organizations of all types and sizes need to ramp up their security. Even smaller clinics have to be on the alert, because they could be weak links that let bad actors in.

On the Alert

Improved cyber-intelligence sharing, alerts and guidance from law enforcement, government regulators, and industry groups can help.

For instance, the Health Information Trust Alliance - or HITRUST - is meeting next week with government officials and healthcare information security leaders to discuss - among other things - ways of improving communication about cyberthreats to help mitigate risks (see How Can Healthcare Improve Threat Sharing?).

Certainly industry groups like HITRUST can help with the effort to spread the word about the latest threats. But the FBI and other government agencies need to do a better job of providing enough timely intelligence for the sector to act upon - while not tipping their hand to the bad guys.

The healthcare industry cannot afford to snooze while cybercriminals plan their next assault. Organizations of all sizes need to be ready to recognize the threats and mitigate the risks. But government agencies and industry information sharing groups need to do a lot more to ensure hospitals, clinics and others are well-informed about the very latest threats.



About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network