Concerns Over Medical Software Security
NewsPrivacy and Security September 9, 2016 Arianna Gael
With record numbers of hacking events and data breaches exposing hundreds of millions of individuals’ personal identifiable information every year, you’d think by now there’d be no one left to have an unblemished, untarnished, “unpublished” security record. In fact, experts like the ITRC have begun warning consumers about data breach fatigue, or the lack of a concerned response to the news that their identities had been compromised.
But there’s a growing interest in a specific prime target for hackers, and it should have consumers terrified. The recent wave of attacks against hospitals, medical centers, and doctors’ offices means victims in a breach have a lot more to lose than their identities. They could potentially lose their lives.
Medical offices are hot targets for a variety of reasons. First, they gather just about every piece of information you’ve got, literally including your DNA. But more importantly, something like a ransomware attack is more likely to work if the trap snares a medical office; with the severe penalties for violating privacy laws–even if a hacker was at fault–the hospital often chooses just to pay the ransom in order to avoid the hefty fines and the lawsuits from the patients.
There’s yet another reason why your medical records might be at more risk than something like your bank account. Too many doctors’ offices and hospitals are using outdated or underperforming software, and then not protecting it from intrusion.
An article from ZDNet on an investigation into dental office software, for example, revealed that the three most commonly used software titles had severe vulnerabilities that could give the right hacker administrative and root access to patients’ records. One of the three titles is simply an open source software title that comes with a blank password, and another one indicated in the study is even in use by the US government for its military medical offices and Veteran’s Administration healthcare facilities.
The very unfortunate truth is you’re not getting medical care without turning over all of your information–sometimes even Social Security numbers in the US, and certainly NHS numbers in the UK–but as patients you have zero ability to know what software is powering the storage of your data, and whether or not the person typing your entire life into a dusty old desktop computer has updated it in a while.