Healthcare: The New Attack Vector for Scammers & ID

Thieves
Written by Gavin Phillips
February 18, 2016

(http://www.makeuseof.com/tag/author/gavin/)

We are all increasingly savvy to online identity theft.

Not too many days go by without hearing of a major business suffering some form of data breach; we just dont always hear about the
severity, unless it involves substantial amounts of customer data. Similarly, we treat our healthcare records with equal privacy. They contain
sensitive, personal information that could be used against us in the wrong hands.
Weve long known and understood the need for privacy concerning medical records, and luckily our doctors and nurses are sworn to uphold
that privacy. In the paper-driven world of yore, unauthorized access to medical records would be via sleight of hand, or an inside job.
But now, the global medical industry is now digitized, and so too are our records. There are massive advantages to having a digitized medical
record, but is putting your personal data in the firing line worth it?

Medical Identity Theft

There is no doubt medical identity theft is on the rise (http://www.makeuseof.com/tag/5-reasons-medical-identity-theft-increasing/).
Scammers who have traditionally sought banking and online account details (http://www.makeuseof.com/tag/3-online-fraud-prevention-tipsneed-know-2014/) are increasingly turning to medical records. Why? Well, for one, they are full of the most personal information relating to
something we all hold dear: our lives.

Sign up for more tips and awesome articles

Email

Let's go

Your medical record holds all of your personal information: name, address, date of birth, social security number (or equivalent), and in some
cases, itll contain billing information, and credit or debit card details. This obviously makes a medical record very valuable more valuable
than your bank account (http://www.makeuseof.com/tag/heres-much-identity-worth-dark-web/) details (well, depending on the number of
zeros in your account!).
The ease with which hackers are accessing medical records make them even more attractive a target. Despite years of prior knowledge that
medical records would at some point be digitized, many medical facilities are in no-way equipped to deal with the omniscient threat of
cybercrime. It is, therefore, no surprise that the percentage of US healthcare organizations reporting potential attacks rose from 20% in 2009,
to 40% in 2013. In 2015 alone we saw anofficially reported (http://www.ft.com/cms/s/2/f3cbda3e-a027-11e5-861308e211ea5317.html#axzz3zIZFmz76) 108.8 million individual records breached (http://www.makeuseof.com/tag/fcc-net-neutrality-hackersattack-health-tech-news-digest/) across five separate healthcare organizations; each organization reported their network server had been
breached:

The above table features Individuals Affected in millions.

N.B:

What Could We Expect?

Aside from the obvious issue of your medical history falling into unknown hands, another specter looms large. Recent advances in medical
hardware are nothing short of miraculous, but they come with one significant difference to their precursors: their networked status. Many
devices are now connected to the hospital network, giving hackers the chance to directly access certain devices.

In a truly startling report titled Predictions 2016: Cybersecurity Swings To Prevention we see the prediction that 2016 will see the
beginning of medical equipment being affected by ransomware (http://www.makeuseof.com/tag/cybercrime-goes-offline-role-bitcoinsransom-extortion/).

The risk comes from a basic lack of knowledge surrounding network security. In 2012, Scott Erven, then Head of Information Security for
Essentia Health (now Associate Director at Protoviti) was tasked with assessing the security for a large chain of Midwest health care facilities.
Among the list of issues (http://www.wired.com/2014/04/hospital-equipment-vulnerable/) raised, it was clear that medical facilities were still
using hardcoded network passwords such as admin or 1234, corroborating earlier reports and ICS-ALERT-13-164-01 (https://icscert.us-cert.gov/alerts/ICS-ALERT-13-164-01), where researchers Billy Rios and Terry McCorkle of Cylance reported roughly 300 medical
devices as still using hardcoded passwords.
These basic authentication steps are creating massive security issues that could be easily avoided, or at least make the task harder for would
be attackers (http://www.makeuseof.com/tag/hack-murky-world-exploit-kits/). At best, we will see a rise in financial extortion.
At worst, people die.

MEDJACK
TrapX, a deception-based cybersecurity firm, identified a broad wave of attacks on medical facilities, largely targeting hospital medical
devices. In three separate hospitals, TrapX found extensive compromise of a variety of medical devices which included X-ray equipment,
picture archive and communications systems (PACS) and blood gas analyzers (BGA).
However, this isnt the limit of the MEDJACK attack vector. TrapX believe (http://deceive.trapx.com/rs/929-JEW675/images/AOA_Report_TrapX_AnatomyOfAttack-MEDJACK.pdf?aliId=262085) (signup required):

there are many other devices that present targets for MEDJACK. This includes diagnostic equipment (PET scanners, CT scanners, MRI
machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment
(heart lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and much more.

The report goes onto explain that many of the medical devices being exploited are closed system devices, running out-of-date operating
systems (http://www.makeuseof.com/tag/windows-10-secure-windows-xp/) such as Windows 2000, or Windows XP. The operating
systems are often modified, and full of security holes (http://www.makeuseof.com/tag/every-version-windows-vulnerability/), presenting a
massive vulnerability in any hospitals network. In most cases, the medical staff using and deploying these devices have no access to the
internal workings, meaning they have a total reliance on manufacturers to install up-to-date and resilient security walls and it currently isnt
happening.
It isnt limited to a few hospitals, either. With a variety of manufacturers supplying massive ranges of equipment to medical facilities across the
globe, it is difficult to pinpoint exactly where the next vulnerability will be exposed.
For instance, when the FDA released a recommendation for manufacturers to tighten security on medical equipment, the Department of
Homeland Security (DHS) revealed their ongoing investigation into 24 cases of suspected cybersecurity flaws, including an infusion pump
from Hospira Inc. and implantable heart devices from Medtronic Inc. and St Jude Medical Inc.
The DHS investigation continues.

Medical Records Sales

While not as life-threatening as hijacked medical apparatus, private medical records are increasingly being sold to data-mining companies,
sometimes along with zip codes to make the data more useful, and therefore more valuable.
However, once the data has left the medical facility, it increases the chances for your information to fall into nefarious hands. As early as
August 2013, as many as 11 health agencies (http://www.bloomberg.com/bw/articles/2013-08-08/your-medical-records-are-for-sale) had
begun or already had data collection policy reviews underway, including how the data sale process occurs, and what responsibilities should
be implemented for the data-mining companies (http://www.makeuseof.com/tag/how-much-google-know-about-you/).
Marc Probst, chief information officer at Intermountain Healthcare, Salt Lake City, states The only reason to buy that data is so they can
fraudulently bill the respective medical records in the hope someone panics, and pays up. This fraudulent use of medical records, (along with
medical records being pilfered in the first place, lax security found throughout countless facilities, and ongoing efforts to provide better overall
cybersecurity to the entire healthcare industry) is one of the many costs being handed directly to American citizens through their healthcare
premium.

Can You Stop It?

Unfortunately, in the case of digitized medical records held directly by a healthcare provider we cant do much about this.

Your provider holds your data, and even if you request a copy (which can be relatively expensive), your provider is highly unlikely to delete
your records on a whim. Who knows when you might be rushed into the ER, only to find they have no medical information relating to your
penicillin allergy.
One proactive measure is to setup an alert system with DataLossDB.org (http://datalossdb.org/), a catchall website detailing as many data
breaches as possible. Another mitigation strategy might include monitoring your credit report but this usually incurs a monthly fee.
Nonetheless, youd certainly notice if your rating took a nosedive (http://www.makeuseof.com/tag/6-warning-signs-digital-identity-theftshouldnt-ignore/), and might catch it before it became irretrievable. If you notice anything particularly nefarious, and catch it in time, you can
issue a fraud alert
(https://help.equifax.com/app/answers/detail/a_id/125/related/1/session/L2F2LzEvdGltZS8xNDEyMDE1MTM1L3NpZC82SVA4QkQzbQ%3D%3D)
blocking any new credit requests or accounts being opened in your name for 90 days.
It is difficult to be as proactive with medical record security as you are with your banking details, but that doesnt mean you have to sit back
and wait.

Worried about healthcare fraud? Have you had your medical records stolen? Or what security practices do you have in place?
Let us know below!

Image Credits: holding a stethoscope (http://www.shutterstock.com/pic.mhtml?id=340082822) by nimon via Shutterstock, Medical Record via Pixabay
(https://pixabay.com/en/medical-record-health-patient-form-781422/), Holding Heart via Pixabay (https://pixabay.com/en/body-upper-body-hand-t-shirt-keep-116585/), Gloved
Hand via Freerange Stock (https://freerangestock.com/photos/667/photo-details.html)

Share

Tweet

Pin

Stumble

Bookmark

Mail (mailto:?body=http://www.makeuseof.com/tag/healthcare-new-attack-vector-scammers-idthieves/&subject=Healthcare: The New Attack Vector for Scammers & ID Thieves)