All around the United States, hospitals now face increasingly more attacks on technology infrastructure.
On March 31, California-based Alvarado Hospital Medical Center reported a “malware disruption.”
Kentucky-based Methodist Hospital stated March 22 it was operating in an “internal state of emergency” after attackers locked all the hospital data on its network.
On Feb. 5, Hollywood Presbyterian Medical Center reported a crippling attack.
The U.S. Department of Health and Human Services Office for Civil Rights shows more than 60 health care institutions have been hacked in 2016.
OCR reported more than 111 million records were stolen in 253 incidents in 2015.
Most were done through ransomware attacks.
Ransomware encrypts all of the files on a system and typically blackmails the user to have the files unencrypted.
Hospitals are especially vulnerable targets because they are more willing to pay for the data than most other institutions.
Hospitals can’t afford to have their systems offline for even a day because of the risk to people’s health.
Hollywood Presbyterian Medical Center willingly paid a $17,000 ransom in order to receive access to their own internal computer systems.
Like all blackmail, attackers will focus their attention on those most willing to pay, which increases the risk for other health care institutions.
The attacks directly affect all of us locally as well. At the end of March, King’s Daughters’ Health in Madison, Indiana, shut down all of its computers after ransomware was on the internal system.
Additionally, Blue Cross and Anthem, insurance providers for faculty at IU, reported extensive data breaches in 2015 that affected tens of millions of people.
The International Data Corporation Health Insight Group predicts one in three Americans will have his or her information stolen through a health care data breach this year.
This includes name, family relations, home address, date of birth, social security number, financial records and medical records.
On the black market, this information is pure gold and contributes to identity theft.
It’s time for health care institutions to beef up their technology security protocols or at least start by creating one.
To start, our personal data needs to be encrypted so even if our information is stolen, the encryption will mean it’s useless to the thief.
Secondly, health care officials need security training.
This would include learning not to click on malicious emails, not plugging in random USBs and not leaving their computers in the open.
Finally, hospitals need to create more robust security systems.
A simple username and password shouldn’t be the only thing blocking a single person from a cache of medical records.
Databases should be monitored for intrusions.
A new security policy would cost money, but health care institutions need to treat the IT department as a serious consideration in creating annual budgets.
Our medical records are prime information that requires actual protection.
sshahsav@indiana.edu
