Healthcare News & Insights

Hospitals are vulnerable to security risks, putting patient data, care in danger

Hospital IT departments are overwhelmed and understaffed. Problem is, they are a goldmine of data when it comes to hackers. In this guest post, Ray Overby, co-founder and president of a software and security services firm specializing in mainframe security, identifies how hospitals are at risk.


Over the past year, cybercriminals have made the healthcare industry a top target. Most modern hospitals depend on clinical information systems and connected medical devices to operate 24/7/365, and the largest hospitals also rely on mainframes to store critical patient information, all of which can be hacked.

Although the mainframe is one of the most securable platforms available, the security of these hospital systems isn’t always up to the standards required by most other industries. Hospitals need both the staff and the technology to ensure their mainframes are always up, running and protected. In today’s environment, that’s a challenge – and it’s putting patient care in danger.

IT departments are overwhelmed

A recent survey of nearly 2,500 healthcare security experts revealed that 96% think bad actors are outpacing the defenses of their medical enterprises. Meanwhile, 39% of healthcare IT staffs consist of fewer than 10 people. Hospital IT departments are stretched thin, and there simply aren’t enough resources to adequately manage the security of these systems, or keep up with the rapid pace at which hackers can work.

The problem isn’t that hospital IT workers aren’t technically astute. Rather, hospital IT departments are overwhelmed and understaffed. Today, if a system locks up and the hospital can’t input data, the clinical staff have to log clinical data until they can input into the system. This can end up being thousands of records, depending upon the size of the hospital system. IT doesn’t have the staff to be able to maintain the level of security required when they’re spending all of their time making sure the clinical information systems are providing the uninterrupted service needed.

At the same time, large hospitals and organizations are consolidating, creating another level of difficulty, since often neither partner is prepared for the complexity involved in the subsequent IT transformation.

Risks to patients

Vulnerabilities to the hospital IT system affects patients, putting their personal information at risk and even endangering treatment itself. Think about how much information hospitals have on their patients, ranging from personally identifiable information like SSNs, addresses, contact information, to medical history and often family history. If a hospital is hacked, all that information is now vulnerable.

There’s also a more immediate risk to patient care. Most medical devices today are peer-to-peer or wireless. Things like heart pumps or machines that dispense medicine are wirelessly attached to the clinical information system. If a hacker were to infiltrate or take the mainframe down, all that medicine could no longer be accurately administered, and medical devices would be endangered. Clinicians depend upon the technologies available to them today to provide patient care. Hospitals are staffed based upon their systems being available.

Clinical information systems tend to be complex systems, where everything is driven by doctor’s orders. If doctors and nurses can’t access those orders, if they can’t communicate new patient information electronically, or if they can’t see when the patient last received a certain type of medication, the risks to patient care could be catastrophic. If a hacker took over the system and wiped out all the doctor’s orders, it would cripple the hospital, and likely put patients’ lives at risk.

Insurance complications

Hospitals also must keep tabs on the insurance companies they work with. Most insurance companies are tied to hospital systems electronically. When a patient comes into the emergency room and the hospital inputs the number on their insurance card, it’s automatically sent to the insurance company to validate their coverage.

The risk here stems from the fact that everything is tied together electronically. If the insurance company has been hacked, or is having a problem with their mainframe or IT system, and therefore can’t validate the coverage number, payment to the hospital may be delayed.

Many of the largest hospital networks rely on mainframes, leaving them vulnerable to a variety of security risks. There are any number of mainframe code-based vulnerabilities that leave hospitals open to crippling attacks, and unfortunately hospital IT departments are unprepared. The good news is that most of these vulnerabilities are patchable; the bad news is that healthcare organizations aren’t aware of or trained at scanning for vulnerabilities or efficiently applying patches. It’s time for hospitals to invest in solutions and strategies that can save their IT systems – and even patients’ lives.

Ray Overby is co-founder and president of Key Resources Inc., a software and security services firm specializing in mainframe security.



Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind