Professional, but self-described ethical hacker Kevin Johnson, was terrified when he saw what was happening in healthcare’s network and applications. As part of his job as head of the security consulting firm Secure Ideas, he probed into the network to identify its vulnerabilities.
Johnson has conducted several tests for health insurance companies, hospitals and medical app companies, only to find out that most of these organizations have failing security. He discovered that most of them were completely unaware that they have been hacked. It took FBI phone calls for these organizations to find out that there was a problem with their network. Johnson says, “If the FBI is initiating your incidence response, you have a problem.”
The root of the problem here can be traced to the misconceptions of the healthcare organizations themselves. Mostly small hospitals, they have it in their minds that what their database contains holds little or no value to anyone. That’s where they are wrong. Johnson says that medical records actually profit hackers more for identity theft. For instance, 405,000 individuals had their medical records, Social Security numbers, date of births and addresses compromised just this February, after a three-day-long security attack on St. Joseph Health System in Bryan, Texas.
Although in the end, the responsibility falls on the hospitals, they are not entirely to blame. Vendors are equally guilty for providing sloppy security. There is a ‘language gap’ between users and providers that becomes a problem in the long run. Users subscribe to this certain security provider without fully understanding the system, making it difficult for them to manage.
Johnson recalled medical app developers saying, ‘this particular app used in major hospitals and medical facilities is base64 encrypted technology’. In reality, base64 encryption doesn’t exist. Due to non-disclosure agreements, Johnson can’t name the app.
This is where IT staff responsibility comes in. When IT comes short of its accountability, security deficiencies and data breaches will go unnoticed. That is neglecting to recognize that something is wrong with the network. Johnson says that IT folks should know what’s happening on their networks. How much traffic do you have? What processes are run on the machines? For example, in UC Irvine last month, if a keylogger was installed, they would not have needed a month to figure out the problem.
“This is not just a security thing,” added Johnson. “This is an everything thing. If you don’t know what’s normal on your network, how can you manage your network?”
Johnson shared that now whenever he visits the doctor, he refuses to fill out forms requiring personal data like birthday, address, especially his Social Security number. When confronted, he counters with how big of a deal identity theft is. As someone working on the response end of incidents, he knows how detrimental severe network deficiencies, hacking, and breaches are.
“The Wild West” is how Johnson describes the Healthcare security of today. He adds, “What’s in the news is just the tip of the iceberg.”
Johnson will moderate a panel ¬– “Frontline Perspective: Combating Cyber Crime in Healthcare” – at the HIMSS Media and Healthcare IT News Privacy and Security Forum on June 16-17 in San Diego California.
Have questions about the security of your healthcare organization? Our team of professional healthcare IT security experts can assist. We have helping many businesses across New Jersey make sure they have the right IT security solutions in place. Call (973) 638-2722 or email us at firstname.lastname@example.org. We are here to make sure your New Jersey business or healthcare organization is secured.