New digital health technologies offer seemingly boundless promise to extend and improve our lives. Yet they also expose us to a growing array of security risks that require urgent attention from companies, consumers, and regulators everywhere.
Data theft is one of the biggest risks. As data bursts from the seams of healthcare IT systems and consumer health apps, cybercriminals are having a field day. Last year, hackers accessed over 100 million health records in America, according to the U.S. Department of Health and Human Services. And that includes only attacks that were detected and reported in one country. The global scale of the problem is by all evidence much larger.
The IT systems of large healthcare organizations are often targeted. In the United States, where much of the world’s most valuable health data is stored, many such organizations have insufficient incentives to secure their networks. Federal patient privacy laws are weakly enforced and healthcare organizations routinely neglect to address security vulnerabilities, according to a December 2015 exposé by healthcare journalist Charles Ornstein. Even when they make adequate efforts to protect their customers, they sometimes contract with service providers, data brokers, and other third parties that in turn mishandle the data.
Why are criminals so interested in your health data? Health records often contain highly valuable information. They can be used for health insurance fraud, illegal surveillance, blackmail, and range of other nefarious purposes. Moreover, data breaches often go undetected for months or even years, giving criminals plenty of time to milk stolen health records. For these reasons, they are considered significantly more valuable than credit cards on the online black markets where they are traded.
Data theft isn’t the only concern. Hackers may also seek to commandeer health information systems to disrupt or destroy them. Last month, for instance, hackers seized control of the Hollywood Presbyterian Medical Center’s computer network and forced administrators to pay over $16,000 in bitcoins to restore access. “Ransomware” attacks like these appear to getting more common, according to a February 2016 report in Modern Healthcare, and are also growing in sophistication.
As ever more medical devices get connected via the Internet of Things, even our bodies may become subject to hacker attacks. Imagine, for instance, hackers gaining access to an implanted medical device. From a keyboard anywhere in the world, they could extort or even assassinate their victims. Back in 2013, this risk prompted Dick Cheney’s doctors to disable the wireless capabilities on his pacemaker. They weren’t being paranoid—security professionals have already demonstrated that such attacks are eminently possible.
So what to do about it? In “Future Crimes,” a 2015 book about the many vulnerabilities of our global IT infrastructure, security researcher Marc Goodman argues that we need a Manhattan Project for Cyber Security that brings together our best minds. Healthcare experts would be key in such an initiative, not only because they have knowledge of the many vulnerabilities in global health systems, but also because their expertise about the risks in this critical domain could inspire more general security innovations.
Some organizations are already taking healthcare knowledge and thinking of ways to apply it in security. Tools developed to deal with human disease outbreaks might be applicable to containing computer viruses. One such protocol, developed by the World Health Organization in the aftermath of the Ebola crisis, encourages data sharing during pandemics to facilitate better response coordination. Systems for sharing data on healthcare industry computer virus outbreaks could provide similar benefits, but most companies have historically swept these incidents under the rug to avoid embarrassment.
Healthcare organizations obviously need to improve their security systems in any case. In an illuminating panel at Techonomy 2015, security professionals emphasized the importance of patching legacy systems and having good emergency response plans. They also discussed new security techniques, some of which use mechanisms similar to aspects of the human immune system to detect potential breaches.
Better public awareness of cyber risk is also needed. Many cyber security threats can be avoided with relatively simple precautions, such as keeping software updated and avoiding sketchy apps. Educators, employers, and NGOs all have an important role to play in promoting good cyber hygiene.
As the tide of digitization sweeps across healthcare everywhere, we may be on the cusp of a golden era of longevity and wellness. Yet unless we work to improve the security our healthcare systems, the scourge of cybercrime could jeopardize progress.