The next great target for criminals and digital troublemakers in 2013 is hacking medical records. According to a long report in the Washington Post and based in part on research by the Information Security Institute at Johns Hopkins University, despite numerous technology standards written into federal regulations, the many ways that health care professionals access health information about their patients are riddled with holes.
In one case documented by the Post, residents at the University of Chicago Medical Center used a shared folder on Dropbox that allowed them to access patient records on their iPads. In another, OpenEMR, an open-source medical records system that had been adopted agency-wide by the Peace Corps, was found to have numerous flaws that opened it to attacks by hackers. Many of the weaknesses found were described as being pretty basic — or as one source quoted in the story put it, “security 101.”
Part of the problem is that the last government guidelines on this issue were published in 2005, and thus aren’t up to speed with what are now considered everyday practices.
More troubling than the vulnerabilities — which expose only the potential for an attack — are the anecdotal bits of evidence that attacks are actually taking place. At the Department of Veterans Affairs, there were nearly 200 instances of medical devices infected with malware between 2009 and 2011. In another case, a server in Utah storing Medicaid data on nearly 800,000 people was attacked earlier this year. The attack was traced to a server in Eastern Europe, though as is always the case with these things, it’s impossible to know exactly where the person carrying out the attack was situated.