Here’s a riddle: What’s good at curing people but not very good at getting rid of noxious viral bugs? Answer: The U.S. health care system.
The U.S. health care industry has been hit with 22 major computer breaches since mid-2015 that have resulted in the loss of millions of patient records, says SecurityScorecard, a New York City firm that offers cybersecurity ratings and monitoring.
Nearly two-thirds of the 27 largest hospitals in the United States are slow to install security patches to overcome cyber vulnerabilities, the company said in a report released Thursday.
It was only one of two surveys released this week on the health care system and cybercrime. A second report, released by Intel Security’s McAfee Labs unit, underscored that stolen medical records are less valuable than stolen records from banks – but still valuable.
On underground web forums, McAfee Labs found that an individual’s Social Security number, birth date and account numbers were valued “between $14 to more than $25 per record.” Medical records, it reported, “range from a fraction of a cent to $2.42 per record.”
Alex Heid, chief research officer at SecurityScorecard, said cybercriminals attacked the health care sector because it was less rigorously defended than other industries, like the financial and energy sectors, but also because health records contained financial data.
“Hospitals have a lot of data that is similar to the financial sector: Social Security numbers, account numbers and credit card numbers,” Heid said. “People can use compromised health care records for Medicare fraud.”
His company’s survey looked at health insurers, manufacturers of medical devices and providers of medical treatment, and found weaknesses among manufacturers and hospitals.
Heid said medical device manufacturers – which make insulin pumps, infusion systems and pacemakers, all connected to the internet – had largely been focused on improving their products rather than protecting them from cyber fraudsters.
“They are making hardware with a main focus of preventing the loss of life or maintaining life. They are trying to develop the functionality of the device,” he said.
The world’s largest seller of health care products, Johnson & Johnson, warned Oct. 4 that one of its internet-connected insulin pumps contained a vulnerability that would allow a hacker to overdose diabetic patients. No such cases have been reported, and the firm provided advice on how to patch the vulnerability.
In August, a prominent stock short seller alleged that Minnesota-based St. Jude Medical produced pacemakers that were vulnerable to cyberattack. St. Jude Medical sued the firm, Muddy Waters LLC, last month, saying that its charges were an “insidious scheme” to lower the stock price.