A Government Accountability Office report in August noted that defibrillators and insulin pumps are vulnerable to hacks. In July, one researcher-hacker was able for the first time to use a specialized search engine called Shodan to discover a medical device, a wireless patient glucose monitor in Wisconsin, linked to the Internet and open to hacking.
The Department of Health and Human Services is overseeing the move to electronic health records systems, some of which have documented security vulnerabilities.
John Halamka, a physician and Harvard University professor who is co-chairman of the HHS health information technology standards committee, said security in the health-care industry is “not as good” as in other industries. But he added that the industry is aware of the problems and is scrambling to make improvements.
“It’s completely headed in the right direction,” he said.
But Laurie Williams, a computer scientist at North Carolina State University, said health care remains widely vulnerable.
“There are basic, basic, Security 101 vulnerabilities we identified,” said Williams, who was among a team of researchers that identified numerous security flaws in several electronic heath records systems two years ago. “I’m concerned that at some point the hackers are really going to begin exploiting them. And that’s going to be a scary day.”
A lingering issue
Questions about the cybersecurity of medical systems have been simmering for more than a decade. But the issue has intensified as hospitals embrace wireless devices and electronic records. Some health-care officials assumed that their networks were too obscure, or offered too few financial enticements, to be of interest to hackers.
Information technology executive Peter Tippett, the chief medical officer for Verizon, said the threat from cyberspace should not be overstated. Simple theft of laptops and other devices make up the bulk of incidents.
“The fact is, there aren’t many attacks,” said Tippett, who oversees ICSA Labs, an independent division of Verizon that tests electronic health records systems and other security products for government certification. “The bad guys so far at least have been looking for money.”
Still, Tippett acknowledged that health care ranks near “the bottom of the list” of industries in terms of cybersecurity. “It’s about like retail,” he said.
In July, a consortium of hospitals, health plans, pharmacies, drug companies and government agencies called the Health Information Trust Alliance launched a cybersecurity incident response and coordination center to defend against “cyber crime, cyber espionage and cyber activism.”