The flu is poking holes in hospital cybersecurity, and a shot can’t save you

Hospital Cybersecurity
BSIP/Getty Images
BSIP/Getty Images

(in)Secure is a weekly column that dives into the rapidly escalating topic of cybersecurity.

When it comes to cybersecurity breaches, we tend to think of large corporations or governmental institutions that hold vast amounts of personal data. However, hospitals and medical centers are organizations that hold onto thousands of personal records. When they’re hit by epidemics as bad this year’s flu outbreak, they’re left completely vulnerable to a cyberattack that could touch their patients’ valuable medical records.

We spoke with Shane Whitlatch, an executive at the cybersecurity company FairWarning, whose clients are hospitals that have been or could one day be the victims of cybersecurity attacks. According to their information, something as harmless as checking in to a hospital when you have the flu could have huge ramifications on your cybersecurity — and you would never even know about it.

Digital Trends: This year’s flu outbreak was particularly bad. What kind of things happen at a hospital during something like a flu outbreak, that can have such a negative impact on a hospital’s cybersecurity?

Shane Whitlatch: The flu epidemic is just another crisis. There can be many different types, but what’s important in a crisis isn’t necessarily what happens right there during the actual event. What’s important is whether or not [the hospital] planned well before the crisis. Did you have processes, programs, and action items in place that prepare you so that when you do have a crisis — whether it’s a flu epidemic, a terrorist attack, or train accident — you aren’t left vulnerable to a cybersecurity attack.

“Are there steps I can skip so I process patient care faster and put less priority on security?”

It’s oversight. People start to skip steps. If I normally check in 10 patients an hour, but now I’m going to get double that, I need to move faster if I’m going to see these patients. Can I just stayed signed in? Do I have to badge in? Are there steps I can skip so that I process patient care faster and put less of a priority on security?

Criminals look for opportunities — and the during the flu outbreak, they know the focus is going to be on those events. So maybe there’s an opportunity for them there when employees are leaving sign-ins logged on to computers longer because they’re busy seeing more patients than they normally do. Maybe it means they’re sharing credentials more frequently because they’re focused on patient care. It just presents opportunity. If you don’t train your staff and you aren’t prepared — you’re going to not only hit by the crisis, but also by criminals who are looking to exploit those opportunities.

Is there a precedent for hospitals being hacked or attacked by cyber-criminals? Is that something that is happening regularly?

If it hasn’t happened yet, they probably just don’t know about it yet. So the answer is yes.

We’ve got an example — and this is in the public record — of Hurley Medical Center in Flint Michigan. It had hacktivist attacks going after medical record associated with the water crisis up there. I think the answer is “yes,” but I’d like to let third-parties be the reference points for that.

In the case of something like a hack, what should people be worried about as patients?

There are some things that are obvious, and some that are less so. The most obvious thing is your insurance information. That’s what’s valuable. They wouldn’t steal the data if it wasn’t valuable. They can take your insurance information, change your mailing address, and sell that to someone who can’t get insurance. That’s the first thing — so pay attention to your EOB (explanation of benefits) letters that you get in the mail. If it says you got some treatment for something that was covered that you never received, that’s a problem. That could maximize your benefits and hit your deductible and you never even got care. Those are the obvious ones.

They wouldn’t steal the data if it wasn’t valuable.

The ones that aren’t so obvious we’ve heard from our customers are where people have changed information on the stolen medical records. If I’m using a stolen ID and I go to a local hospital somewhere — and let’s say I haven’t been treated there before and I have a fake ID — to get seek care for something like a broken arm, or something worse, which it usually is. But if my blood type is different than the person it was stolen from, the hospital might change your blood type on your medical record because they assumed the person didn’t know their blood type. That may not matter to you now, but if you get in a car accident and need a blood transfusion or something like that, they might put the wrong blood in. That’s a less obvious consequence — and it can be a deadly one.

Right now, do you feel like hospitals are aware of how important cybersecurity is?

Certainly, now more than before. Our customers, obviously, are aware of them and are fighting the good fight. What’s encouraging from what I’m hearing from them and from the executives themselves, is that the board is becoming more aware.

insecure flu cybersecurity hospital computer
Jose Luis Pelaez Inc/Getty Images
Jose Luis Pelaez Inc/Getty Images

That’s partially because of education and because of very public breaches. The Anthem breach was a major one. There are very large breaches that are making the news where board members are seeing it and starting to ask questions. It’s becoming more well-known outside of just IT security, but absolutely IT security is aware of it.

Is there anything that patients can do to protect their own medical information when they’re checking into a hospital or interacting with their health records in any way?

I’ll speak personally — I try not to share my social security number as best I can. It’s probably already stolen anyways. The other thing you can always do is ask for an accounting of disclosures, which gives you a record of everyone who’s touched your records — and that’s part of a federal law.

The other thing is just being vigilant about where you go to seek care and what you do with your information and who you share it with. Pay attention to the forms they have you sign. When they ask if they can share your information, don’t just blindly sign all of them. Ask questions about it. Be vigilant. And when you do that, it’s another form of educating the hospital staff that this privacy things does matter. It’s not just a poster on a wall.

Emerging Tech

Global Good wants to rid the world of deadly diseases with lasers and A.I.

Global Good, a collaboration between Intellectual Ventures and Bill Gates, aims to eradicate diseases that kill children in developing nations. It tackles difficult problems with high-tech prototypes.
Business

Marriott asking guests for data to see if they were victims of the Starwood hack

Marriott has created an online form to help you find out if your data was stolen in the massive Starwood hack that came to light toward the end of 2018. But take note, it requires you to submit a bunch of personal details.
Movies & TV

The best movies on Amazon Prime right now (February 2019)

Prime Video provides subscribers with access to a host of fantastic films, but sorting through the catalog can be an undertaking. Luckily, we've done the work for you. Here are the best movies on Amazon Prime Video right now.
Movies & TV

The best shows on Netflix, from 'Haunting of Hill House’ to ‘Norsemen’

Looking for a new show to binge? Lucky for you, we've curated a list of the best shows on Netflix, whether you're a fan of outlandish anime, dramatic period pieces, or shows that leave you questioning what lies beyond.
Gaming

These are the coolest games you can play on your Google Chrome browser right now

Not only is Google Chrome a fantastic web browser, it's also a versatile gaming platform that you can access from just about anywhere. Here are a few of our favorite titles for the platform.
Computing

Amazon takes $200 off Apple’s latest 13-inch MacBook Air with retina display

Amazon is taking $200 off Apple's latest MacBook Air. This MacBook Air has 13-inch retina display, a built-in FaceTime HD camera, and that classic lightweight wedge shape the Air is loved and known for.
Product Review

Razer just made our favorite gaming laptop even more powerful than before

The Razer Blade, our favorite gaming laptop, is now more powerful than ever before. That’s thanks to the new Nvidia RTX graphics cards inside. Do they help Razer retain its edge over the competition?
Deals

Samsung drops a solid $100 discount on the Chromebook Pro

If you're in the market for a new laptop, but can't afford to drop $1,000 on one of the best models out there, Chromebooks are an excellent option. Right now, Samsung is offering $100 off the Samsung Chromebook Pro.
Computing

Lost your router? Here's how to find its IP address to help track it down

Changing the login information for your router isn't always easy, that's why so many have that little card on the back. But in order to use it, you need to know where to go. Here's how to find the IP address of your router.
Computing

Between Intel and AMD, these are the best gaming CPUs at every price

What are the best processors for gaming you can buy? You don't need to spend a fortune to get an amazing gaming CPU and now that AMD is competitive again, there are more choices than ever.
Computing

Our favorite Chrome themes add some much-needed pizzazz to your boring browser

Sometimes you just want Chrome to show a little personality and ditch the grayscale for something a little more lively. Lucky for you, we've sorted through the Chrome Web Store to find best Chrome themes available.
Computing

Here's our guide to how to charge your laptop using a USB-C cable

Charging via USB-C is a great way to power up your laptop. It only takes one cable and you can use the same one for data as well as power -- perfect for new devices with limited port options.
Computing

Get the best of both worlds by sharing your data on MacOS and Windows

Compatibility issues between Microsoft Windows and Apple MacOS may have diminished sharply over the years, but that doesn't mean they've completely disappeared. Here's how to make an external drive work between both operating systems.
Computing

Is Ice Lake coming soon? Here's what we know about Intel's future chip design

Intel's Ice Lake may end up launching before the architecture it was supposed to replace. With hints of more announcements about the chip design in the very near future, here's everything you need to know about Ice Lake.