I wanted to chime in here as someone who has worked in operational/clinical IT and now research IT at two large hospitals for the last 10 years. I've worked mostly in database and data management, but I've collaborated closely with other IT teams including those who manage security. I've also participated in the roll out of a patient portal, so I've been in conversation with security folks about these topics in the past.
Ben is absolutely right, healthcare entities (which includes insurance companies) experience breaches frequently. Whether that's on par with other groups that collect sensitive data, it is hard to say. Healthcare entities are required to report all breaches of HIPAA which means we have a lot of data about when this happens, how it happens, and who it affects, and we don't necessarily have that same data for other industries. It is worth noting that the dataset available at USA Today lists all instances of breach, including not just "hacking/IT" but also things like theft, lost laptops, improper disposal of information, etc. The categories are self reported, so what constitutes "hacking/IT" is hard to determine exactly, and could differ across institutions. Also, for anyone interested in exploring that data more thoroughly and in a more analysis-friendly format, it is all hosted in the HHS portal here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (see "archive" for incidents before 2020). But, none of this answers your question about whether *portals* are particularly vulnerable. While all access points have some vulnerability, my understanding is that portals on the whole are not especially high on the list of targets. Many are built with fairly contemporary security measures (like MFA) and any patient's credentials will only offer access to that one person's data, which means the challenge of access is high and the reward is comparatively low. More likely targets are ones that would yield information about many patients at once. Examples of this could include legacy/old EHR systems that have less robust security measures or phishing attempts to gain credentials of employees. If there are people with more specific security experience out there, they certainly have better perspective than I do, but this is what I have learned in the past so I thought it would be useful to share. Hannah On Tue, Feb 21, 2023 at 3:50 PM Benjamin Florin <benjamin.flo...@gmail.com> wrote: > Medical record holders that have a data breach are required to report the > incident to the Department of Health and Human Services. *USA Today* has a > database of breaches from 2009-2022, searchable by provider name: > https://c0cqk195.caspio.com/dp/49083000924a653ece704bd889c6 > > The scope of the problem is enormous. Every single health care entity I've > ever been involved with larger than an independent doctor's office has had > at least one breach. > > Ben > > On Tue, Feb 21, 2023 at 3:38 PM McDonald, Stephen < > steve.mcdon...@tufts.edu> > wrote: > > > I was hoping that someone with better knowledge than I would respond > > first, but I don't see anything yet. > > > > Charles, I don't happen to know of any analysis or comparison of the > > vulnerabilities of health portals. Hopefully someone else can provide > > something. > > > > You should be aware that there is a huge difference between hackers > trying > > to get steal personal information and hackers using ransomware. As a > > general rule, ransomware attackers do not have and are not trying to get > > personal information. All they want is to lock you our of your computer > > until you pay them to regain access. Ransomware simply encrypts > everything > > on the computer, making it impossible to access anything until right code > > is sent to the ransomware to decrypt it again. Sometimes all it takes is > > to click on the wrong link or opening an infected attachment to > > unintentionally install ransomware software and lock your system up. > > Breaking into databases to steal personal information is a much more > > involved and directed attack. > > > > That said, both hospitals and libraries have been the victims of hackers, > > both from ransomware and from database attacks to gain personal > > information. Library vendors have also been victims. Literally every > > computer on the planet is vulnerable to one degree or another unless they > > are disconnected from the network. Hackers have attacked everything from > > the Pentagon to the personal laptops of middle-schoolers. There is lots > of > > good advice on the web on protecting computers against ransomware and > other > > hackers. > > > > Steve McDonald > > steve.mcdon...@tufts.edu > > > > > > > > > > -----Original Message----- > > From: Code for Libraries <CODE4LIB@LISTS.CLIR.ORG> On Behalf Of charles > > meyer > > Sent: Monday, February 20, 2023 10:31 PM > > To: CODE4LIB@LISTS.CLIR.ORG > > Subject: [External] [CODE4LIB] Medical Records Portals - Hacking > > > > My esteemed listmates, > > > > Has anyone found reliable analysis and risk factoring of the > > vulnerabilities of health care (medical) portals? > > > > Health care professionals from doctor offices to hospitals all insist > > patients subscribe to their health care portal. > > > > That raises the question of how difficult is it for hackers to access > your > > medical records? > > > > We’ve seen in the news how county governments have had to pay for the > > ransomware holding their operational software hostage. > > > > Is it such a stretch those nefarious characters could also hack our > > medical records and hold hospitals hostage? > > > > They could, conceivably, do the same with library materials patrons have > > checked out holding the county hostage for that info. > > > > Thank you. > > > > Charles > > > > Charles Meyer > > > > Charlotte County Public Library > > > > Caution: This message originated from outside of the Tufts University > > organization. Please exercise caution when clicking links or opening > > attachments. When in doubt, email the TTS Service Desk at i...@tufts.edu > > <mailto:i...@tufts.edu> or call them directly at 617-627-3376. > > > > > > -- > Ben Florin > Web Developer > Boston College Libraries > 617-552-4582 > benjamin.flo...@bc.edu >
