Healthcare is a Hacker's Paradise and It's Only Getting Worse!

From a hacker’s point of view, healthcare has it all. There’s confidential personal data in abundance, including health information and social security details, mobile apps with sloppy security, and healthcare institutions and end users who can’t or won’t accept their vulnerability as targets.

The road to IT security hell is being paved with good intentions and a strong dose of denial (“it’ll never happen to our clinic”). Consequently, cybercriminals have been flocking to healthcare sector to partake in the pickings.

Take the recent ransomware attacks on hospitals, for example. Inadequate precautions and poor data backup policies left many institutions exposed to the ransomware threat. A midsized hospital might be forced to pay about $17,000 to get its data back after being attacked. With easy money like this, ransomware attacks flourished, also opening new avenues of attack like the ransomworm.

In general, attacks via mobile apps are being facilitated by weak or non-existent security. Infected or rogue apps allow hackers to exfiltrate private health information and more. Experian, the global information services firm, sees healthcare vulnerability continuing, citing the popularity of medical identity theft as a money-spinner for hackers, who can trade stolen patient data in different markets with relative ease.

Part of the problem comes from a change in the way health providers procure their IT solutions. Instead of the previous model of integrated healthcare IT from one vendor, institutions are being encouraged (or pushed) to work with third-party vendors for the niche and app solutions they need. However, practitioners are far from being the only healthcare app users. Patients and consumers also have a considerable appetite for this mobile software, coupled with ignorance about who is really using their personal data.

Healthcare app developers may forget about data protection. Some even deliberately monetize end-user data as part of their business model. In recent tests, as many as 80% of healthcare apps for end-users had no satisfactory privacy policy, yet handled highly confidential end-user data. In some cases, data transmissions were unsecured with personal information visible in plain text.

While consumers and patients use apps to count calories, measure heart rates, and record blood pressure, data collected by the apps may be leaking out to advertisers, health insurance providers, or other unknown destinations. And it’s not even a problem of using free apps instead of paid apps: according to the Future of Privacy Forum, paid health apps often perform worse than free apps in terms of privacy policies.

Kevin Mullenex, CEO of Mi3 Security, explains that there are two critical steps for the healthcare industry to improve mobile app security. The first is to educate developers about the need to incorporate information privacy and security into the design of their apps. Specifically, third parties often need help to properly understand their obligations to comply with HIPAA (Health Insurance Portability and Accountability Act). The second step is to properly test app security before release, whether to healthcare staff, patients or consumers.

As Mullenex says, “Mobile app testing for security, including HIPAA requirements, can now be done rapidly and effectively, with clear go/no go results for all stakeholders. Keeping apps healthy and free from malware infection is within everybody’s reach today, with no excuse for neglecting patient data privacy or consumer data confidentiality”.