Not really I’m afraid. Good day all. For the past few years, under pressure from the Obama Regime, hospitals and doctors offices have been putting all their records into electronic form, and moving away from paper files.
This does have benefits from a record keeping and billing point of view, but it does have a few negatives, one being the massive target for hackers and identity thieves. These records are on networks, and usually, they won’t be air gapped networks. Now we’re seeing attacks against these networks increasing geometrically. Here are a few details on the problems from The Washington Post:
The cyberattack on MedStar Health — one of the biggest health-care systems in the Washington region — is a foreboding sign that an industry racing to digitize patient records and services faces a new kind of security threat that it is ill-prepared to handle, security experts and hospital officials say.
For years, hospitals and the health care industry have been focused on keeping patient data from falling into the wrong hands. But the recent attacks at MedStar and other hospitals across the country highlight an even more frightening downside of security breaches: As hospitals have become dependent on electronic systems to coordinate care, communicate critical health data and avoid medication errors, patients’ well-being may also be at stake when hackers strike.
What this means is, it won’t be having your records stolen, as has happened with health insurance companies such as Aetna, but actual records being altered and someone being given the wrong medications or treatments.
Hospitals are used to chasing the latest medical innovations, but they are rapidly learning that caring for sick people also means protecting their medical records and technology systems against hackers. An industry that has traditionally spent a small fraction of its budget on cyberdefense is finding it must also teach doctors and nurses not to click on suspicious links and shore up its technical systems against hackers armed with an ever-evolving set of tools.
I recently worked in the medical industry on a contract. The business entity was converting to a new electronic system. While I was there, something was found on a server that threw a major scare into the business. We were lucky that the system in question was due to be retired, and only had limited access to the new patient records. (Actually none at all, which was why it was scheduled for decommissioning) The business was just starting to get serious about their network security, but was having some serious pushback from the medical staff. Not surprising since their first thought is for their patients and not dealing with security.
In some ways, health care is an easy target: Its security systems tend to be less mature than those of other industries, such as banking and tech, and its doctors and nurses depend on data to perform time-sensitive, life-saving work.
Another issue is money. Ramping up a full bore network security system is not cheap, especially after spending hundreds of millions of dollars on a new record keeping infrastructure.
Where a financial-services firm might spend a third of its budget on information technology, hospitals spend only about 2 to 3 percent, said John Halamka, the chief information officer of Beth Israel Deaconess Medical Center in Boston.
“If you’re a hacker… would you go to Fidelity or an underfunded hospital?” Halamka said. “You’re going to go where the money is and the safe is easiest to open.”
Good luck breaking into Fidelity. Their cyber security people are top notch and very well paid. Hospitals, unlike banks and other financial institutions, aren’t rolling in money. Most medical centers are Not For Profits, and don’t have piles of money sitting around to use on network security systems. They would rather hire a new doctor or nurse, buy a new MRI machine or other medical device than spend it on new computers.
Because of the problems of getting medical and administrative people to think about cyber-security, hospitals are now getting hacked. The usual means is someone who isn’t paying attention, clicking on a link and installing some form of malware on a system inside a hospital network. When this happens, hackers can start nosing around, looking for root and administrative access to all the systems. Once they get that, they can do anything. In the case of MedStar, it was flat out extortion.
MedStar spokeswoman Ann Nickels declined to elaborate on what sort of software attack the hospital suffered, but several employees have said they saw a pop-up message suggesting it was “ransomware” — a kind of software that can lock people out of systems until they make a bitcoin payment. According to a photo of that message provided by a MedStar Southern Maryland Hospital Center employee, the hackers were demanding 45 bitcoins — equivalent to about $19,000 — to restore access to MedStar’s system.
“You just have 10 days to send us the Bitcoin,” the note read. “After 10 days we will remove your private key and it’s impossible to recover your files.”
These sorts of attacks are usually initiated from overseas, making it difficult to deal with the hackers even if they are identified. In MedStar’s case, they didn’t pay and instead recovered their systems. Under a worst case scenario, people could have died because the doctors and nurses couldn’t get the information they would need to treat them. This is one reason why paper records are still used, even if only in the short term.
The fact that some hackers decided to sabotage a hospital and put people’s lives at risk suggests to me that they aren’t really thinking down the road. Most of these hackers have really big egos, and they think they can get away with their actions. Recent prosecutions haven’t dissuaded them. Of course, they might go after a hospital in a country that won’t bother with things like their rights.
If they track down one or more of these people, well, let’s just say that they will be questioned in ways that make waterboarding look like a new way to wash their faces. Basically, the pliers and blades would come out and fingernails would come off. Once the “questioners” had the answers they wanted, said hacker would probably just be shot and the body disposed of. I wouldn’t be surprised if it ended up on YouTube as an example of what would happen to the next person who broke into a hospital and caused the death of an Important person. For all I know, it’s already happened.
Experts said the current attacks seem to be based in Eastern Europe, although it is hard to tell whether one group alone is responsible. The hacks have similarities, to be sure, but hackers trade tools and information. One concern is that as the attacks gain more news coverage, they will inspire more copycats who will use the same technique to target other vulnerable networks.
Eastern Europe is hard for law enforcement officials to get things done. The Eastern Europeans don’t take this sort of crime as seriously as they do others, such ad drugs and terrorism. The hackers may think they are safe and secure in their anonymity, but I wonder just how anonymous they really are. I have no doubt that intelligence services from all around the world have identified a number of these people.
Now for some due diligence. I have a personal stake in this. My insurance company was hacked and my information stolen. It’s believed that this was a national intelligence service that did this, since there was a follow up break in at the Office of Personnel Management, and all their records were stolen as well. No damage seems to have been done, although I think my records were altered.
My insurance didn’t list the former Mrs. Webmaster when I went in to check things during our breakup. I know that she was listed on the account when I set it up. In our case, things worked out, well, in the sense that no damage was done that would have required medical treatment for the former Mrs. Webmaster, but if things had been different, lawyers would have been involved.
Cyber Security is a major issue. The Financial Industry has been taking it seriously for a long time. Now, the medical industry is going to have to get serious as well, and it’s going to cost a lot of money. Do I have any answers on how to do all this? No, but I do know that a “One size fits all, Top Down” approach won’t work. For now, doctors, nurses and others in the Medical field will just have to be very careful and security groups will have to do things like strip out external links and attachments in email.
Thatisall
~The Angry Webmaster~
[yasr_visitor_votes size=”medium”]
