Hospitals and the Risk of Hacking

Posted by on May 30, 2013

While most industries have flocked to the convenience and cost savings of the cloud, health-care providers and hospitals have been slow to adopt. Even the fastest growing medical cloud service only represents less than 5 percent of the physician market. But the wariness of medical providers to employ cloud services makes sense given HIPAA pressures and the threat of third-party attacks. In a recent survey by CFO Research Services, 75 percent of respondents had experienced financial loss and workflow interruptions as a result of third party attacks. And the Russian-Ukrainian cyber gang known as Best Inc. recently stole more than a million dollars from a hospital in Washington.

Health records have gone digital

Photo courtesy of ProvidersEdge.com

Patients should know that hackers could and have attacked hospital databases to exploit patient records for extortion. But with the growing threat of hacking and extortion, medical offices and hospitals can properly secure sensitive patient data through anonymous and private cloud storage. Such precautions are necessary when given the prevalence of hospital hacking and even internal data theft.

In 2011, a disgruntled employee at Florida Hospital had accessed the private records of over 700,000 patients. Of these records, 12,000 victims of car accidents had their data sold for chiropractor and attorney services, literally adding insult to injury. And in 2012, Crescent Healthcare had their computer hardware stolen, which contained Personal Identifying Information and Patient Health Information, resulting in a HIPAA Violation notification. Such, cases could have been avoided had proper internal IT policies been established and observed while securing patient data through a fully anonymous and encrypted cloud service.

The high cost of HIPAA civil penalties.

Infographic courtesy of InspiredLearning.com

Take the case of the dermatology doctor from Surgeons of Lake County whose office computer system was hacked. The attackers breached the practice’s server, seized patient data, and attempted to extort the practice by demanding a ransom. As electronic health records and electronic medical records become the new standard in patient data storage, such attacks will only become more widespread unless the industry as a whole addresses the issue of securing patient privacy.

According to the Secretary of the Department of Health and Human Services, almost 21 million people have had their electronic medical records or electronic health records stolen or breached in the past three years. The biggest data breach was in the case of TRICARE, a healthcare program for Armed Forces members and their families. The medical subcontractor lost the records of nearly 5 million people, revealing the necessity of private data backup. If TRICARE had employed a private and anonymous cloud service, such private patient records would have been backed up and protected through encryption.

Image courtesy of healthcareitnews.com

Top data breaches of 2012

Shockingly, governmental health institutions are just as ignorant of proper security measure as some sectors of private healthcare. In 2013, hackers traced to Eastern Europe seized the private medical records of 780,000 Utah residents from the Utah Department of Health. And even medical insurance companies have been breached, as in the case of major insurance providers like Health Net and Blue Cross Blue Shield, resulting in the potential exploitation of millions of individual patient records.

Patients, consumers, and citizens should demand that their private health records be kept private from hackers and even disgruntled employees looking to make a quick buck off selling medical records. And healthcare providers, insurers, and governmental health organization should proactively seek security solutions to the glaring gaps that currently leave patient records wide open to hacking and data exchange. Shifting private records to an anonymous cloud service can ensure that sensitive information is kept truly private, protecting both patients and providers.

Privacy for Patients

For true user privacy, only anonymous cloud storage and sharing services like SpiderOak provide all the convenience and savings of the cloud while guarding against hacking and security breaches. SpiderOak is a cloud storage and sharing service that offer data backup and syncing services. It stands out from the crowded cloud market by featuring complete data privacy and user anonymity. Through 256-bit AES encryption and two-factor password authentication, SpiderOak makes sure that medical records, folder names, file names, and passwords cannot be read or even accessed by SpiderOak and its employees.

As for two-factor authentication, this is just like the process used with some banking and financial services that require a PIN or correct answer to a secret question as an extra precautionary measure. For SpiderOak, this means submitting a private code through SMS in addition to the encrypted password to log in. Once successfully logged in, medical providers can store and share data with 100 percent privacy, as SpiderOak has “zero-knowledge” of uploaded data and plaintext encryption keys. This means that the company and its employees don’t even have access to user passwords. Instead, the data encryption key for individual passwords is exclusively stored on each user’s computer. This way, every bit of patient data is kept fully anonymous. SpiderOak’s services are available with Windows, Mac, and Linux desktop environments, along with Android and iOS mobile platforms, granting health care providers flexibility along with security.

3 Responses to “Hospitals and the Risk of Hacking”

  1. Thank you for sharing this article on encryption, cloud storage and privacy/security. I do Canadian personal and corporate income tax preparation on my laptop. I am very security conscious, especially in regards to Windows. Because of this, and the fact that Linux by default is very secure, I run Windows as a virtual machine in Linux to ensure the data is safe.

    However, backups were not done on a regular basis. Two years ago I tripped and fell while carrying the laptop. The drive got damaged and at least a month’s worth of tax data was lost.

    Although I trust Google and know their services are secure, I do not like the idea of Google having all my clients’ tax information. Besides Google’s Linux software does not work properly with openSUSE Linux which I use.

    The SpiderOak backup software and service provides me with automatic backup as well as the ability to securely share among my laptop, virtual machines and Android phone.

    I highly recommend all businesses, big and small, use SpiderOak.

  2. Samir Shukla says:

    I am doing a grad thesis right now on “why are hospitals reluctant to employ the cloud as cost saving measures.” One question that has come up in recent weeks is, how do we know that the NSA, FBI, CIA, etc will not spy on my medical records? The CIA is on the verge of issuing a large contract with Amazon Web Services. Will their partnership with Amazon allow easier access to medical sites that host with Amazon Web Services? I know that you are not Amazon, but the same questions apply to your company: What are you doing to ensure that my medical data isn’t funneled in to a huge government database?

    • Daniel B. says:

      Hi Samir,
      Thanks for your comment! Sounds like a great thesis, hope I can help. There’s no way of knowing exactly how governmental espionage programs work, but it is possible for medical records to be data mined. This is why medical records should be exclusively stored on a private cloud with strong encryption and user anonymity. This way, even if passwords were cracked, all the government would be able to see are unreadable blocks of encrypted data, especially if encryption keys are only kept on approved hospital devices. Amazon hasn’t made any guarantees yet on safeguarding user privacy, so it is possible that a weakness in the security could provide a doorway to any hosted medical sites. As for SpiderOak, 256-bit AES encryption keeps data safe. Plaintext encryption keys are only stored on approved devices and the company has absolutely zero-knowledge of user data. Essentially, SpiderOak keeps user data private and user identities anonymous.

Leave a Reply