The Global Computing Dilemma of the Healthcare Institutions

The healthcare industry and other medical institutions are not good maintainers of operating systems and application updates. They usually use their computers until it breaks down, and they will be replaced by a brand-new computer equipment once funds were made available. The applications installed in these same hardware usually remains unpatched, the same version persist year-after-year.

Vulnerabilities exist with old unpatched software, the fortunate short gap between the discovery of the vulnerability and the patch from the vendor is not taken advantage of by the healthcare industry. They usually choose to use the unpatched computers until a real problem is discovered which renders them completely unusable. This needs to chance, in fact, security professionals are trying to pressure healthcare institutions to take a higher road of protecting their computers, in order to protect patients’ records.

“From a purely monetary perspective, medical records, depending upon their completeness, can fetch upwards of $1,000 per record. Contrast that number with credit cards, where the typical value is $30,” explained Matt Chiodi, Chief IS Office of Redlock, a cloud threat consulting firm.

In many territories, patients’ data is highly valued and protected, but the biggest weakness is the very computer equipment hospitals use to track patients’ progress while being confined. Many of those computers are even running using Windows XP, an operating system declared unsupported by Microsoft since 2014. Some hospitals with low funding cannot afford to upgrade the hardware, hence it cannot use a newer supported version of the operating system to work with.

As medical technology improves, more information is extracted from the patients year-on-year. One such new data come from DNA analysis, blood sample analysis, and other laboratory sources. This data cannot be stored in the current Windows XP machines that hospitals are using. “The general fear is actually with the customer signing away their DNA profile to a testing company. There has been little concern of the theft for malicious intent, mainly due to the mapping to value of the data. The real threat is that the value is unknown, meaning that two years down the road people might start seeing a value to the data, and your DNA data may be on a system with inadequate protection,” said Chris Jordan, Fluency’s CEO, a cybersecurity firm.

Cybersecurity professionals continue to sound the alarm about the huge risks that healthcare institutions are facing. The threat is real, and it will cost the healthcare institution more money repairing the damages, while also losing the confidence of their patrons, the patients. “Moving forward, there’s a chance that cybercriminals could change tactics and, instead of destroying sensitive data, use it for targeted attacks. As an example, a patient with a sexually transmitted disease could find themselves blackmailed; a patient with an allergy could be attacked with his or her allergen. Healthcare organizations should perform regular security assessments of their systems. Not just the usual HIPAA compliance assessments, but beyond formal requirements, including practical penetration tests,” explained Rami Muleys, Positive Technologies’ Head of Application Security.