Health IT investigation finds ‘gaping security holes’

Most known data breaches have been hackers intent on identity theft.

The health-care industry’s headlong rush into information technology and wireless services has significantly increased its vulnerability to hacking, partly because the industry is slow to address known risks, the Washington Post reported after a year-long investigation.

“I have never seen an industry with more gaping security holes,” Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University, told the Post. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”

According to the newspaper, Rubin found that health IT specialists often fail to correct flawed software and health-care workers routinely bypass security safeguards.

Another problem is that many health IT vendors mistakenly believe they cannot update systems approved by the Food and Drug Administration, the paper said. Such updates are actually encouraged by the FDA.

Electronic health records are at risk from “basic, basic, Security 101 vulnerabilities,” N.C. State University computer scientist Laurie Williams told the paper. “I’m concerned that at some point the hackers are really going to begin exploiting them. And that’s going to be a scary day.”

Most of the known health IT data breaches have been by hackers looking for personal patient information for identity-theft purposes. Lost laptops and other mobile devices have been a major cause of data breaches.

But the Post noted that medical devices such as heart defibrillators and insulin pumps also are vulnerable to hacking, as the General Accountability Office pointed out in a report this summer. The GAO recommended the FDA expand its medical-device focus to include cybersecurity threats.