How Serious is the Threat of a Cyber Attack on U.S. Healthcare?

A new paper discussses the vulnerability of the U.S. Healthcare system, and a story in a respected publication assesses the threat of cyber warfare.

A new paper discussses the vulnerability of the U.S. Healthcare system, and a story in a respected publication assesses the threat of cyber warfare.

David Harries and Dr. Peter Yellowlees authored the “Brief Communication” in the new issue of Telemedicine and eHealth, titled “Cyberterrorism: Is the U.S. Healthcare System Safe?“  Mr. Harries works for Océ North America, a Canon Group Company, and Dr. Yellowlees is a psychiatrist at U-C Davis in California.  Because we’re doing a lot with technology in medicine now, we’ve become fairly dependent on these systems.  And the authors believe that this dependence on data systems that use the Internet makes them a potential target for terrorists.  Should there be an attack on, say, a hospital computer system, bringing it down or revealing confidential patient information acquired from it, this could shake the trust in such systems.  As far as we know, there hasn’t been a successful attack on a U.S. healthcare organization.  The authors suggest that with cyber attacks on the increase, it may only be a matter of time before one is launched successfully.  In the article, they discuss “several best practices” healthcare organizations can adopt now for protection.

As to the actual threat of cyber-warfare, The Economist featured an article in its edition last week, titled “Hype and Fear.” It points out that “almost all (roughly 98%) of the vulnerabilities in commonly used computer programmes that hackers exploit are in software created in America.”  General Keith Alexander, the head of both the Cyber Command and the National Security Agency, says the attacker always has the advantage.  Many potential targets of cyber-terrorists, like power grids, sewage systems, and transportation systems, are less vulnerable than you might think.  Even if a foreign organization launched a weapon like the Stuxnet virus that was used against Iran, experience shows it will have limited success and the vulnerabilities will be repaired quickly.  And that was the best that purportedly two first-rate cyber powers (the U.S. and Israel) could come up with.  To develop a Stuxnet would require large teams of highly-qualified people which may be beyond terrorist groups.  And a large team formed to do bad things attracts the attention of intelligence agencies who are often successful infiltrating them.

Still, there’s probably some teenager working round the clock trying to hack his way into a healthcare system for “fun”.  As a side note, companies like Microsoft have hired the people who mount cyber attacks on them to frustrate the others who are out there.

Harris and Yellowlees suggest that healthcare organizations develop a “defense in depth” approach as part of an overall risk management strategy.  This involves multiple layers of protection.  They offer six guidelines  to follow:

1. Regular security risk assessments that determine any gaps.

2. Intrusion prevention and detection services that can detect and block cyber attackers.

3. Installation of a data loss prevention solution that checks for leakage of information.

4. Audit logs to track access to sensitive patient data.

5. Performance of regular tests of Web security.

6. Mandates that software for mobile devices, laptops, portable storage and backup tapes be encrypted.

Even with all these measures in place, you may still have to worry about the IT guy who was fired last week and wants to “get even.”