Skip to main content

27-12-2012 | Article

Security flaws emerge from the digitization of healthcare


Washington Post article

medwireNews: Electronic health records (EHR) and wireless technology continue to enhance healthcare provision and access but also increase the risk for security breaches, according to a year-long overview of medical cybersecurity conducted by The Washington Post.

The newspaper's investigative analysis discovered that hospital computers and medical devices (MDs) are exceptionally susceptible to hackers who wish to obtain patient records or launch attacks on medical systems.

These security flaws have drawn the attention of the Department of Homeland Security (DHS), which warned in a May 2012 bulletin that the inability of the Food and Drug Administration (FDA) to regulate how MDs are used and by whom opens up new vulnerabilities - especially when the devices are accessed remotely through wireless networking.

Increasingly, wireless MDs are connected to medical information technology (IT) networks, making the latter remotely accessible. "This may be a desirable development," said the DHS bulletin, "but the communications security of MDs to protect against theft of medical information and malicious intrusion is now becoming a major concern."

MDs include implantable, external, or portable equipment as well as those that the DHS describes as "expanding attack surfaces," such as smartphones, tablets, and USB devices - all to monitor a patient's health status and track EHRs.

"I have never seen an industry with more gaping security holes," Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University (Baltimore, Maryland), told The Washington Post. "If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed."

While the Health and Human Services Department (HHS) has established standards that doctors and medical facilities must adhere to when adopting certified EHR computer systems, The Post found few security measures recommended.

Farzad Mostashari, the national coordinator for health IT at the HHS, has acknowledged the security problem and ensured that steps have are being taken to enhance EHR protection, such as data encryption on laptops.

In the meantime, the FDA is expected to better regulate MD security updates and keep more in pace with technological developments - especially since the most recent guidelines for medical cybersecurity were published in 2005.

By Peter Sergo, medwireNews Reporter