Healthcare: The New Attack Vector for Scammers & ID Thieves

Gavin Phillips 18-02-2016

We are all increasingly savvy to online identity theft.


Not too many days go by without hearing of a major business suffering some form of data breach; we just don’t always hear about the severity, unless it involves substantial amounts of customer data. Similarly, we treat our healthcare records with equal privacy. They contain sensitive, personal information that could be used against us in the wrong hands.

We’ve long known and understood the need for privacy concerning medical records, and luckily our doctors and nurses are sworn to uphold that privacy. In the paper-driven world of yore, unauthorized access to medical records would be via sleight of hand, or an inside job.

But now, the global medical industry is now digitized, and so too are our records. There are massive advantages to having a digitized medical record, but is putting your personal data in the firing line worth it?

Medical Identity Theft

There is no doubt medical identity theft is on the rise 5 Reasons Why Medical Identity Theft is Increasing Scammers want your personal details and bank account information – but did you know that your medical records are also of interest to them? Find out what you can do about it. Read More . Scammers who have traditionally sought banking and online account details 3 Online Fraud Prevention Tips You Need To Know In 2014 Read More are increasingly turning to medical records. Why? Well, for one, they are full of the most personal information relating to something we all hold dear: our lives.

Medical Record


Your medical record holds all of your personal information: name, address, date of birth, social security number (or equivalent), and in some cases, it’ll contain billing information, and credit or debit card details. This obviously makes a medical record very valuable – more valuable than your bank account Here's How Much Your Identity Could Be Worth on the Dark Web It's uncomfortable to think of yourself as a commodity, but all of your personal details, from name and address to bank account details, are worth something to online criminals. How much are you worth? Read More details (well, depending on the number of zero’s in your account!).

The ease with which hackers are accessing medical records make them even more attractive a target. Despite years of prior knowledge that medical records would at some point be digitized, many medical facilities are in no-way equipped to deal with the omniscient threat of cybercrime. It is, therefore, no surprise that the percentage of US healthcare organizations reporting potential attacks rose from 20% in 2009, to 40% in 2013. In 2015 alone we saw an officially reported 108.8 million individual records breached The FCC Preserves Net Neutrality, Hackers Attack Health Insurer [Tech News Digest] Net Neutrality rules, Anthem suffers health setback, BT buys EE, tweets on Google, Netflix lands in Japan, and the biggest Super Bowl commercials get remade in LEGO. Read More across five separate healthcare organizations; each organization reported their network server had been breached:

US Healthcare Data Breaches 2015

N.B: The above table features Individuals Affected in millions.


What Could We Expect?

Aside from the obvious issue of your medical history falling into unknown hands, another specter looms large. Recent advances in medical hardware are nothing short of miraculous, but they come with one significant difference to their precursors: their networked status. Many devices are now connected to the hospital network, giving hackers the chance to directly access certain devices.

In a truly startling report titled ‘Predictions 2016: Cybersecurity Swings To Prevention‘ we see the prediction that 2016 will see the beginning of medical equipment being affected by ransomware Cybercrime Goes Offline: The Role of Bitcoins In Ransom and Extortion Read More .

Man Holding Heart

The risk comes from a basic lack of knowledge surrounding network security. In 2012, Scott Erven, then Head of Information Security for Essentia Health (now Associate Director at Protoviti) was tasked with assessing the security for a large chain of Midwest health care facilities. Among the list of issues raised, it was clear that medical facilities were still using hardcoded network passwords such as “admin” or “1234,” corroborating earlier reports and ICS-ALERT-13-164-01, where researchers Billy Rios and Terry McCorkle of Cylance reported roughly 300 medical devices as still using hardcoded passwords.


These basic authentication steps are creating massive security issues that could be easily avoided, or at least make the task harder for would be attackers This Is How They Hack You: The Murky World of Exploit Kits Scammers can use software suites to exploit vulnerabilities and create malware. But what are these exploit kits? Where do they come from? And how can they be stopped? Read More . At best, we will see a rise in financial extortion.

At worst, people die.


TrapX, a deception-based cybersecurity firm, identified a broad wave of attacks on medical facilities, largely targeting hospital medical devices. In three separate hospitals, TrapX found “extensive compromise of a variety of medical devices which included X-ray equipment, picture archive and communications systems (PACS) and blood gas analyzers (BGA).”

However, this isn’t the limit of the MEDJACK attack vector. TrapX believe (signup required):


“there are many other devices that present targets for MEDJACK. This includes diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment (heart – lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and much more.”

Medical Gloved Hand

The report goes onto explain that many of the medical devices being exploited are closed system devices, running out-of-date operating systems 7 Ways Windows 10 is More Secure than Windows XP Even if you don't like Windows 10, you really should have migrated from Windows XP by now. We show you how the 13 year old operating system is now riddled with security issues. Read More such as Windows 2000, or Windows XP. The operating systems are often modified, and full of security holes Every Version of Windows Is Affected By This Vulnerability - What You Can Do About It. What would you say if we told you that your version of Windows is affected by a vulnerability that dates back to 1997? Unfortunately, this is true. Microsoft simply never patched it. Your turn! Read More , presenting a massive vulnerability in any hospital’s network. In most cases, the medical staff using and deploying these devices have no access to the internal workings, meaning they have a total reliance on manufacturers to install up-to-date and resilient security walls – and it currently isn’t happening.

It isn’t limited to a few hospitals, either. With a variety of manufacturers supplying massive ranges of equipment to medical facilities across the globe, it is difficult to pinpoint exactly where the next vulnerability will be exposed.

For instance, when the FDA released a recommendation for manufacturers to tighten security on medical equipment, the Department of Homeland Security (DHS) revealed their ongoing investigation into 24 cases of suspected cybersecurity flaws, including “an infusion pump from Hospira Inc. and implantable heart devices from Medtronic Inc. and St Jude Medical Inc.”

The DHS investigation continues.

Medical Records Sales

While not as life-threatening as hijacked medical apparatus, private medical records are increasingly being sold to data-mining companies, sometimes along with zip codes to make the data more useful, and therefore more valuable.

However, once the data has left the medical facility, it increases the chances for your information to fall into nefarious hands. As early as August 2013, as many as 11 health agencies had begun or already had data collection policy reviews underway, including how the data sale process occurs, and what responsibilities should be implemented for the data-mining companies How Much Does Google Really Know About You? Google is no champion of user privacy, but you might be surprised just how much they know. Read More .

Marc Probst, chief information officer at Intermountain Healthcare, Salt Lake City, states “The only reason to buy that data is so they can fraudulently bill” the respective medical records in the hope someone panics, and pays up. This fraudulent use of medical records, (along with medical records being pilfered in the first place, lax security found throughout countless facilities, and ongoing efforts to provide better overall cybersecurity to the entire healthcare industry) is one of the many costs being handed directly to American citizens through their healthcare premium.

Can You Stop It?

Unfortunately, in the case of digitized medical records held directly by a healthcare provider – we can’t do much about this.

Your provider holds your data, and even if you request a copy (which can be relatively expensive), your provider is highly unlikely to delete your records on a whim. Who knows when you might be rushed into the ER, only to find they have no medical information relating to your penicillin allergy.

One proactive measure is to setup an alert system with, a catchall website detailing as many data breaches as possible. Another mitigation strategy might include monitoring your credit report – but this usually incurs a monthly fee. Nonetheless, you’d certainly notice if your rating took a nosedive 6 Warning Signs Of Digital Identity Theft You Shouldn't Ignore Identity theft isn't too rare of an occurrence these days, yet we often fall into the trap of thinking that it'll always happen to "someone else". Don't ignore the warning signs. Read More , and might catch it before it became irretrievable. If you notice anything particularly nefarious, and catch it in time, you can issue a fraud alert, blocking any new credit requests or accounts being opened in your name for 90 days.

It is difficult to be as proactive with medical record security as you are with your banking details, but that doesn’t mean you have to sit back and wait.

Worried about healthcare fraud? Have you had your medical records stolen? Or what security practices do you have in place? Let us know below!

Image Credits: holding a stethoscope by nimon via Shutterstock, Medical Record via Pixabay, Holding Heart via Pixabay, Gloved Hand via Freerange Stock

Explore more about: Health, Identity Theft, Online Privacy.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    February 18, 2016 at 2:47 pm

    To prevent, or at least drastically reduce, data breaches, an NSA-grade security system is needed. Unfortunately, not many entities outside of the government can afford the software, hardware and the personnel to maintain such a level of security. Certainly no hospital, let alone a doctor's office, can afford the expenditure. So, like it or not, our records are an open book, available for any hacker to read.