FBI Warning Highlights Healthcare Sector’s Vulnerability to Cyber Attacks

In a private message sent to health care providers, the FBI warned health care industry companies of being targeted by hackers and advised them to take immediate measures to defend their systems.

The alert comes after the attack on U.S. hospital group Community Health Systems Inc. that resulted in the theft of millions of patient records.

“The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII),” the agency said in a “Flash” alert obtained by Reuters.

“These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data,” the document stated.

According to the news service, the FBI and department of Homeland Security periodically release alerts to provide U.S. businesses with technical details and other information they can use to either prevent or identify cyber attacks.

The FBI has issued several alerts within the past few months, the most recent being in April, warning the industry that its systems were too lax compared with other sectors.

On Monday, Aug. 18, Community Health disclosed the attack, saying stolen data included patient names, addresses, birth dates and Social Security numbers. In its filing with the U.S. Securities and Exchange Commission, the group revealed that its security was bypassed and attackers were able to copy data. A China-based attacker is believed to be responsible for the intrusion.

“In this instance the data transferred was non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company,” the filing stated.

“The [FBI] warning is just bringing additional awareness to a healthcare market that has really reflected the industry's lack of awareness to date of the cyber threat they face,” Mick Coady, PricewaterhouseCoopers (PwC) Health Information Privacy and Security Partner told Dark Reading. “Healthcare is where the financial industry was 10- to 12 years ago in terms of IT security.”