Alarming Cybersecurity Challenges in Contemporary Health Care


By Dr. Satyendra Kaith, Adjunct Faculty, School of Business and Information Technology

In October 2014, the National Cyber Security Alliance and numerous other champions celebrated the 11th year of National Cyber Security Awareness Month(NCSAM). However, if recent news regarding the massive wave of breaches suffered by Hollywood celebrities and retailing icons like Home Depot and Target is not alarming enough, consider the real danger that your own health data could be stolen by hackers. Let us consider some hard statistical facts.

According to an unclassified Private Industry Notification issued by Federal Bureau of Investigation, “Cyber actors will likely increase cyber intrusions against health care systems—to include medical devices—due to mandatory transition from paper to electronic health records (EHR), lax cybersecurity standards, and a higher financial payout for medical records in the black market.” The open source reports included in this notification warn that the health care industry is not even technically prepared to combat against cybercriminals’ basic intrusion tactics, techniques, and procedures, much less against more advanced persistent threats. These reports validate fears that compared to financial and retail domains, the health care industry is even more vulnerable to cyber intrusions (Department of Justice, Federal Bureau of Investigation, 2014). 

For instance, the most notable among these reports is a SANS Institute report raising red flags on the security strategies and practices in health care, which are ill-equipped to handle new cyber threats, such as hacking of patient medical records, billing and payment organizations, and intellectual property. Further data analysis in the report reveals multiple health care systems that were compromised, such as radiology imaging software, digital video systems, faxes, printers, and security application systems that include virtual private networks (VPNs), firewalls, and routers. When such health care systems are compromised, malicious traffic finds its way to easily infect VPNs and firewalls. Interestingly, the biggest root cause of vulnerability was the misconception of health care IT professionals that their current security systems and compliance strategies were adequate, clearly contradicting the data revealed in the SANS report.  

A recent article in MarketWatch (Levin, 2014) notes that nearly half of identity thefts involve medical data. The article refers to a research finding by the Ponemon Institute revealing that since 2010, there has been a 100% increase in criminal attacks on health care organizations. The institute’s Fourth Annual Benchmark Study on Patient Privacy and Data Security outlines key security threats to patient information that are causing health care organizations a huge headache (ID Experts, 2014). The key threats include the Affordable Care Act, criminal attacks, employee negligence, unsecured mobile devices (e.g., smartphones, laptops, and tablets), and third parties. The institute’s chairperson and founder, Dr. Larry Ponemon, is concerned about the latest trend involving criminal attacks on hospitals, which have increased a staggering 100%. Dr. Ponemon claims that the combination of insider-outsider threats presents a multilevel challenge. He warns that health care organizations lack the resources to address this reality.

Today’s rapidly changing IT network is more distributed and more virtual than ever, leading to more data stored on remote endpoints, such as laptops and smartphones, and increasingly accessed through collaborative cloud-based applications. No wonder more sophisticated malware is targeting these applications as ways to gain unauthorized access to sensitive information. Furthermore, mounting budget pressures are forcing organizations to look increasingly at more distributed, heterogeneous, and virtual computing alternatives in order to meet business objectives in a cost-effective manner.

In order to address these challenges, parties must collaborate and seamlessly share information to address IT risk and systems management requirements. Security experts recommend an integrated, end-to-end solution that combines best-of-breed endpoint security and operations functions, centralizes policy and event management, and scales across thousands of endpoints to address endpoint management and security challenges (Lumension Security, 2014).

According to a 2014 security forecast by Kroll Cyber Security, the data supply chain and the threat of malicious insiders will pose continuing challenges to hospitals this year. While organizations may have their own security in order, the same may not be true for the business associates who handle their data. “What we’re seeing in many cases is that as that data leaves the hospital it ends up in the hands of third parties that may not have the same stringent requirements as the hospital or health insurance plan. That is going to be a significant issue for the next few years,” said Tim Ryan, managing director and cyber investigations practice leader for Kroll (Due Diligence an IT Priority for 2014, 2014).

It is encouraging to learn that NCSAM has grown exponentially in the last 11 years, reaching consumers, small and medium-sized businesses, corporations, educational institutions, and young people across the nation. For more information on NCSAM events, ways to get involved, the NCSAM champion program, and additional resources, visit

In an encouraging development, the Privacy and Security Committee of Healthcare Information and Management Systems Society (HIMSS) is continuing with its ongoing guidance efforts for implementation of strategic initiatives that promote the privacy and security of health care information and management systems. The Privacy and Security Committee guides implementation of strategic initiatives focused on promoting the privacy and security of health care information and management systems for meeting requirements of confidentiality, integrity, availability, and accountability based on sound risk management practices, using recognized standards and protocols. This committee also provides oversight for several volunteer task forces and work groups.

Transforming health care through technology requires continual joint efforts from the public and private sectors. I encourage readers of this article to find their niche and start contributing their ideas to HIMSS ( and to the national health care agenda for minimizing cybercrimes, especially in health care.    


Department of Justice, Federal Bureau of Investigation. (2014, April 8). FBI Cyber Division Bulletin: Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions. Retrieved September 10, 2014, from FBI: 

Due diligence an IT priority for 2014. (2014). Healthcare Risk Management Review .

ID Experts. (2014, March 12). Criminal Attacks on Healthcare Organizations Increase 100 Percent. Traverse City, Michigan: ID Experts. Retrieved September 10, 2014, from ID Experts:

Levin, A. (2014, March 18). Nearly half of identity thefts involve medical data. MarketWatch .

Lumension Security. (2014). Lumension® Endpoint Management and Security Suite. Retrieved September 22, 2014, from Lumension: