Professional Documents
Culture Documents
Thieves
Written by Gavin Phillips
February 18, 2016
(http://www.makeuseof.com/tag/author/gavin/)
Let's go
Your medical record holds all of your personal information: name, address, date of birth, social security number (or equivalent), and in some
cases, itll contain billing information, and credit or debit card details. This obviously makes a medical record very valuable more valuable
than your bank account (http://www.makeuseof.com/tag/heres-much-identity-worth-dark-web/) details (well, depending on the number of
zeros in your account!).
The ease with which hackers are accessing medical records make them even more attractive a target. Despite years of prior knowledge that
medical records would at some point be digitized, many medical facilities are in no-way equipped to deal with the omniscient threat of
cybercrime. It is, therefore, no surprise that the percentage of US healthcare organizations reporting potential attacks rose from 20% in 2009,
to 40% in 2013. In 2015 alone we saw anofficially reported (http://www.ft.com/cms/s/2/f3cbda3e-a027-11e5-861308e211ea5317.html#axzz3zIZFmz76) 108.8 million individual records breached (http://www.makeuseof.com/tag/fcc-net-neutrality-hackersattack-health-tech-news-digest/) across five separate healthcare organizations; each organization reported their network server had been
breached:
N.B:
In a truly startling report titled Predictions 2016: Cybersecurity Swings To Prevention we see the prediction that 2016 will see the
beginning of medical equipment being affected by ransomware (http://www.makeuseof.com/tag/cybercrime-goes-offline-role-bitcoinsransom-extortion/).
The risk comes from a basic lack of knowledge surrounding network security. In 2012, Scott Erven, then Head of Information Security for
Essentia Health (now Associate Director at Protoviti) was tasked with assessing the security for a large chain of Midwest health care facilities.
Among the list of issues (http://www.wired.com/2014/04/hospital-equipment-vulnerable/) raised, it was clear that medical facilities were still
using hardcoded network passwords such as admin or 1234, corroborating earlier reports and ICS-ALERT-13-164-01 (https://icscert.us-cert.gov/alerts/ICS-ALERT-13-164-01), where researchers Billy Rios and Terry McCorkle of Cylance reported roughly 300 medical
devices as still using hardcoded passwords.
These basic authentication steps are creating massive security issues that could be easily avoided, or at least make the task harder for would
be attackers (http://www.makeuseof.com/tag/hack-murky-world-exploit-kits/). At best, we will see a rise in financial extortion.
At worst, people die.
MEDJACK
TrapX, a deception-based cybersecurity firm, identified a broad wave of attacks on medical facilities, largely targeting hospital medical
devices. In three separate hospitals, TrapX found extensive compromise of a variety of medical devices which included X-ray equipment,
picture archive and communications systems (PACS) and blood gas analyzers (BGA).
However, this isnt the limit of the MEDJACK attack vector. TrapX believe (http://deceive.trapx.com/rs/929-JEW675/images/AOA_Report_TrapX_AnatomyOfAttack-MEDJACK.pdf?aliId=262085) (signup required):
there are many other devices that present targets for MEDJACK. This includes diagnostic equipment (PET scanners, CT scanners, MRI
machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment
(heart lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and much more.
The report goes onto explain that many of the medical devices being exploited are closed system devices, running out-of-date operating
systems (http://www.makeuseof.com/tag/windows-10-secure-windows-xp/) such as Windows 2000, or Windows XP. The operating
systems are often modified, and full of security holes (http://www.makeuseof.com/tag/every-version-windows-vulnerability/), presenting a
massive vulnerability in any hospitals network. In most cases, the medical staff using and deploying these devices have no access to the
internal workings, meaning they have a total reliance on manufacturers to install up-to-date and resilient security walls and it currently isnt
happening.
It isnt limited to a few hospitals, either. With a variety of manufacturers supplying massive ranges of equipment to medical facilities across the
globe, it is difficult to pinpoint exactly where the next vulnerability will be exposed.
For instance, when the FDA released a recommendation for manufacturers to tighten security on medical equipment, the Department of
Homeland Security (DHS) revealed their ongoing investigation into 24 cases of suspected cybersecurity flaws, including an infusion pump
from Hospira Inc. and implantable heart devices from Medtronic Inc. and St Jude Medical Inc.
The DHS investigation continues.
Your provider holds your data, and even if you request a copy (which can be relatively expensive), your provider is highly unlikely to delete
your records on a whim. Who knows when you might be rushed into the ER, only to find they have no medical information relating to your
penicillin allergy.
One proactive measure is to setup an alert system with DataLossDB.org (http://datalossdb.org/), a catchall website detailing as many data
breaches as possible. Another mitigation strategy might include monitoring your credit report but this usually incurs a monthly fee.
Nonetheless, youd certainly notice if your rating took a nosedive (http://www.makeuseof.com/tag/6-warning-signs-digital-identity-theftshouldnt-ignore/), and might catch it before it became irretrievable. If you notice anything particularly nefarious, and catch it in time, you can
issue a fraud alert
(https://help.equifax.com/app/answers/detail/a_id/125/related/1/session/L2F2LzEvdGltZS8xNDEyMDE1MTM1L3NpZC82SVA4QkQzbQ%3D%3D)
blocking any new credit requests or accounts being opened in your name for 90 days.
It is difficult to be as proactive with medical record security as you are with your banking details, but that doesnt mean you have to sit back
and wait.
Worried about healthcare fraud? Have you had your medical records stolen? Or what security practices do you have in place?
Let us know below!
Image Credits: holding a stethoscope (http://www.shutterstock.com/pic.mhtml?id=340082822) by nimon via Shutterstock, Medical Record via Pixabay
(https://pixabay.com/en/medical-record-health-patient-form-781422/), Holding Heart via Pixabay (https://pixabay.com/en/body-upper-body-hand-t-shirt-keep-116585/), Gloved
Hand via Freerange Stock (https://freerangestock.com/photos/667/photo-details.html)
Share
Tweet
Pin
Stumble
Bookmark
Mail (mailto:?body=http://www.makeuseof.com/tag/healthcare-new-attack-vector-scammers-idthieves/&subject=Healthcare: The New Attack Vector for Scammers & ID Thieves)