I wanted to chime in here as someone who has worked in operational/clinical
IT and now research IT at two large hospitals for the last 10 years. I've
worked mostly in database and data management, but I've collaborated
closely with other IT teams including those who manage security. I've also
participated in the roll out of a patient portal, so I've been in
conversation with security folks about these topics in the past.
Ben is absolutely right, healthcare entities (which includes insurance
companies) experience breaches frequently. Whether that's on par with other
groups that collect sensitive data, it is hard to say. Healthcare entities
are required to report all breaches of HIPAA which means we have a lot of
data about when this happens, how it happens, and who it affects, and we
don't necessarily have that same data for other industries.
It is worth noting that the dataset available at USA Today lists all
instances of breach, including not just "hacking/IT" but also things like
theft, lost laptops, improper disposal of information, etc. The categories
are self reported, so what constitutes "hacking/IT" is hard to determine
exactly, and could differ across institutions. Also, for anyone interested
in exploring that data more thoroughly and in a more analysis-friendly
format, it is all hosted in the HHS portal here:
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (see "archive" for
incidents before 2020).
But, none of this answers your question about whether *portals* are
particularly vulnerable. While all access points have some vulnerability,
my understanding is that portals on the whole are not especially high on
the list of targets. Many are built with fairly contemporary security
measures (like MFA) and any patient's credentials will only offer access to
that one person's data, which means the challenge of access is high and the
reward is comparatively low. More likely targets are ones that would yield
information about many patients at once. Examples of this could include
legacy/old EHR systems that have less robust security measures or phishing
attempts to gain credentials of employees.
If there are people with more specific security experience out there, they
certainly have better perspective than I do, but this is what I have
learned in the past so I thought it would be useful to share.
Hannah
On Tue, Feb 21, 2023 at 3:50 PM Benjamin Florin <[log in to unmask]>
wrote:
> Medical record holders that have a data breach are required to report the
> incident to the Department of Health and Human Services. *USA Today* has a
> database of breaches from 2009-2022, searchable by provider name:
> https://c0cqk195.caspio.com/dp/49083000924a653ece704bd889c6
>
> The scope of the problem is enormous. Every single health care entity I've
> ever been involved with larger than an independent doctor's office has had
> at least one breach.
>
> Ben
>
> On Tue, Feb 21, 2023 at 3:38 PM McDonald, Stephen <
> [log in to unmask]>
> wrote:
>
> > I was hoping that someone with better knowledge than I would respond
> > first, but I don't see anything yet.
> >
> > Charles, I don't happen to know of any analysis or comparison of the
> > vulnerabilities of health portals. Hopefully someone else can provide
> > something.
> >
> > You should be aware that there is a huge difference between hackers
> trying
> > to get steal personal information and hackers using ransomware. As a
> > general rule, ransomware attackers do not have and are not trying to get
> > personal information. All they want is to lock you our of your computer
> > until you pay them to regain access. Ransomware simply encrypts
> everything
> > on the computer, making it impossible to access anything until right code
> > is sent to the ransomware to decrypt it again. Sometimes all it takes is
> > to click on the wrong link or opening an infected attachment to
> > unintentionally install ransomware software and lock your system up.
> > Breaking into databases to steal personal information is a much more
> > involved and directed attack.
> >
> > That said, both hospitals and libraries have been the victims of hackers,
> > both from ransomware and from database attacks to gain personal
> > information. Library vendors have also been victims. Literally every
> > computer on the planet is vulnerable to one degree or another unless they
> > are disconnected from the network. Hackers have attacked everything from
> > the Pentagon to the personal laptops of middle-schoolers. There is lots
> of
> > good advice on the web on protecting computers against ransomware and
> other
> > hackers.
> >
> > Steve McDonald
> > [log in to unmask]
> >
> >
> >
> >
> > -----Original Message-----
> > From: Code for Libraries <[log in to unmask]> On Behalf Of charles
> > meyer
> > Sent: Monday, February 20, 2023 10:31 PM
> > To: [log in to unmask]
> > Subject: [External] [CODE4LIB] Medical Records Portals - Hacking
> >
> > My esteemed listmates,
> >
> > Has anyone found reliable analysis and risk factoring of the
> > vulnerabilities of health care (medical) portals?
> >
> > Health care professionals from doctor offices to hospitals all insist
> > patients subscribe to their health care portal.
> >
> > That raises the question of how difficult is it for hackers to access
> your
> > medical records?
> >
> > We’ve seen in the news how county governments have had to pay for the
> > ransomware holding their operational software hostage.
> >
> > Is it such a stretch those nefarious characters could also hack our
> > medical records and hold hospitals hostage?
> >
> > They could, conceivably, do the same with library materials patrons have
> > checked out holding the county hostage for that info.
> >
> > Thank you.
> >
> > Charles
> >
> > Charles Meyer
> >
> > Charlotte County Public Library
> >
> > Caution: This message originated from outside of the Tufts University
> > organization. Please exercise caution when clicking links or opening
> > attachments. When in doubt, email the TTS Service Desk at [log in to unmask]
> > <mailto:[log in to unmask]> or call them directly at 617-627-3376.
> >
> >
>
> --
> Ben Florin
> Web Developer
> Boston College Libraries
> 617-552-4582
> [log in to unmask]
>
|