While healthcare providers are scrambling to stay ahead of identity thieves, Chinese and Iranian military hackers, and NSA snoops, they may be leaving a big hole in their defenses as they add all kinds of automation systems for the “internet of things”, as the recent Target data breach fiasco demonstrates. Unfortunately, this lesson was not shared with most healthcare.
Some of you may be puzzled by my reference, so let me explain. All of the initial information on the Target breach focused on “Point of Sale” theft of credit card information — the hackers were stealing information from the credit card processing functions at the stores. For healthcare organizations, that did not seem to be a larger threat.
Invisible gaps
The larger threat, however, was revealed on techno blogs such as krebsonsecurity.com and that was an explanation of how the Target system was accessed to plant the data stealing functions. It is reported that the access route into the Target system was by hacking the HVAC system that remotely monitored and controlled store heating and air conditioning — simplistically, the HVAC control accessed the stores via their computer system to connect to the thermostat, and the thieves hacked the thermostat to implant their theft software in the host computer system.
For hospital and clinic systems, this same vulnerability may exist via the HVAC. More importantly, every hospital and clinic has more and more of these “remote” services and functions that are part of the growing “internet of things.” All kinds of monitors, sensors, “smart” equipment, remote access convenience, and alerting systems are being added to healthcare operations — often without any consideration how these “conveniences” may potentially compromise system security and HIPAA compliance.
Un-protected Systems
Another risk associated with the “Internet of things” is that most of these commercial applications do not employ the latest secure software. Published data, for instance, reports that more than 60 per cent of ATM machines in the US run on Windows XP operating systems, a Microsoft product that is no longer supported by the company and therefore is at risk for security breaches. To up-grade the software, manufactures and users would have to replace the software at a cost of Billions of dollars. But in most cases the machines are not able to run up-graded software, therefore requiring replacement of the entire machine as multi-Billion dollar expense.
Cyber insurance companies indicate that the failure to update, patch, or replace software and digital equipment promptly is a prime vulnerability that allows hackers to breach security and steal data. While IT efforts and budget concentrate on major systems, it is not uncommon for less obvious systems like Target’s HVAC or dozens of other medical systems to leave the door to the data vault standing wide open.