The FBI recently issued two private industry notices (PINs) to the healthcare sector, warning that cyber-attacks against devices and systems in that industry are likely to increase. The notices were issued to a number of undisclosed and unidentified organizations in the healthcare sector on April 8 and April 17.
According to comments made by an FBI Spokeswoman to Security Media Group, the reports were not issued because of an imminent threat but rather, “based on recent ‘open source’ reports issued by industry researchers and other sources about increasing cyber threats and related potential fraud facing the sector.” These privately commissioned reports, from organizations such as The SANS Institute and Ponemon, have urged the healthcare systems to boost security.
The main areas of concern the reports cited include the transition to electronic health records EHRs and the increasing amount of medical devices connected to the Internet. The cyber security of the healthcare industry, as a whole, is lagging behind other industries, such as the financial and retail sectors, who long have been targets of hackers seeking consumer credit card information and other personal information. A person’s medical records can command higher pricing on the black market since it can be used not only for fraudulent financial gain, but also to obtain prescriptions for controlled drugs. In part due to the HITECH Act electronic health record incentive program, the majority of healthcare providers will have transitioned to EHR systems as of January 2015, so an increase in attacks is likely.
The FBI spokeswoman mentions another overarching goal of the reports: “To educate people in the sector who are not aware.” The notice urged recipients to report suspicious or criminal activity to local FBI bureaus or the agency’s 24/7 Cyber Watch.
Whereas other industries have had secure technologies in place for many years, these technologies and their corresponding practices are just now being developed and implemented in the healthcare industry.
This FBI warning should serve as one more voice in the drumbeat of alerts regarding the threats to health care information. Covered entities and their business associates need to devote the necessary resources to protect their information systems.
