The skeptic might argue that Cyber City isn’t a real place, and therefore a healthcare system there couldn’t have been hacked. Cyber City is a real place, and it exists somewhere in a New Jersey suburb for the purpose of training federal employees in the art of cyber defense. Cyber City is the brain child of Ed Skoudis of SANS, an information security training organization responsible for training the people who are charged with defending our country’s digital assets.
In a piece by the folks at New Tech City (if you don’t listen to this, you should), Skoudis explains how Cyber City works. The theory is that our cyber defenders learn how to defend against real cyber terror by studying and subverting hacks involving Cyber City’s real (virtual) power grids, water treatment facilities, coffee shops with open WiFi, airports with real (virtual) passengers and even hospitals with real (virtual) patients and patient data.
What struck me most in the story were Skoudis’ biting words about hospital security practices,
We actually, for some of our hospital systems, we had to change the code in them to make them more secure than they would be in a regular hospital, otherwise it’s just too trivial to hack.
In the midst of all the news we hear about the insecurity of our power grids when it comes to cyber vulnerabilities, Skoudis indicated that the power grid’s security was much more layered and less problematic. What does this stinging indictment of the healthcare industry’s information security practices tell us? At the very least, we need to re-double our efforts to care for the data at the heart of our nation’s healthcare. With the Sony hack showing us that cyber attacks are not just about credit card numbers, but about vandalism and data destruction, we need to think about this potential in our hospitals. How many lives could a hacker take by sneaking in and shutting down systems or changing data. How much embarrassment and public shame could be inflicted by dumping 100 gigabytes of patient data on the web for all to see?
Health IT spending has been about EMRs, workflow and revenue for many years now, and to simply say that Information Security in the Healthcare Enterprise is “on the list … we’ll get to it,” is not acceptable. What bigger indictment do we need than to hear a leading authority state that when it comes to healthcare (as a rule), there really aren’t any barriers for the cyber-terrorist to breach. Was a healthcare system hacked in reality? Yes, it was the folks at SANS who hacked the dirty truth about the state of healthcare information security in the US. In the real world, healthcare isn’t secure. The hospitals in Cyber City, however, are slightly more secure … just to up the game a little.