We are all increasingly savvy to online identity theft.
Not too many days go by without hearing of a major business suffering some form of data breach; we just don’t always hear about the severity, unless it involves substantial amounts of customer data. Similarly, we treat our healthcare records with equal privacy. They contain sensitive, personal information that could be used against us in the wrong hands.
We’ve long known and understood the need for privacy concerning medical records, and luckily our doctors and nurses are sworn to uphold that privacy. In the paper-driven world of yore, unauthorized access to medical records would be via sleight of hand, or an inside job.
But now, the global medical industry is now digitized, and so too are our records. There are massive advantages to having a digitized medical record, but is putting your personal data in the firing line worth it?
Medical Identity Theft
There is no doubt medical identity theft is on the rise. Scammers who have traditionally sought banking and online account details are increasingly turning to medical records. Why? Well, for one, they are full of the most personal information relating to something we all hold dear: our lives.
Your medical record holds all of your personal information: name, address, date of birth, social security number (or equivalent), and in some cases, it’ll contain billing information, and credit or debit card details. This obviously makes a medical record very valuable – more valuable than your bank account details (well, depending on the number of zero’s in your account!).
The ease with which hackers are accessing medical records make them even more attractive a target. Despite years of prior knowledge that medical records would at some point be digitized, many medical facilities are in no-way equipped to deal with the omniscient threat of cybercrime. It is, therefore, no surprise that the percentage of US healthcare organizations reporting potential attacks rose from 20% in 2009, to 40% in 2013. In 2015 alone we saw an officially reported 108.8 million individual records breached across five separate healthcare organizations; each organization reported their network server had been breached:
N.B: The above table features Individuals Affected in millions.
What Could We Expect?
Aside from the obvious issue of your medical history falling into unknown hands, another specter looms large. Recent advances in medical hardware are nothing short of miraculous, but they come with one significant difference to their precursors: their networked status. Many devices are now connected to the hospital network, giving hackers the chance to directly access certain devices.
In a truly startling report titled ‘Predictions 2016: Cybersecurity Swings To Prevention‘ we see the prediction that 2016 will see the beginning of medical equipment being affected by ransomware.
The risk comes from a basic lack of knowledge surrounding network security. In 2012, Scott Erven, then Head of Information Security for Essentia Health (now Associate Director at Protoviti) was tasked with assessing the security for a large chain of Midwest health care facilities. Among the list of issues raised, it was clear that medical facilities were still using hardcoded network passwords such as “admin” or “1234,” corroborating earlier reports and ICS-ALERT-13-164-01, where researchers Billy Rios and Terry McCorkle of Cylance reported roughly 300 medical devices as still using hardcoded passwords.
These basic authentication steps are creating massive security issues that could be easily avoided, or at least make the task harder for would be attackers. At best, we will see a rise in financial extortion.
At worst, people die.
TrapX, a deception-based cybersecurity firm, identified a broad wave of attacks on medical facilities, largely targeting hospital medical devices. In three separate hospitals, TrapX found “extensive compromise of a variety of medical devices which included X-ray equipment, picture archive and communications systems (PACS) and blood gas analyzers (BGA).”
However, this isn’t the limit of the MEDJACK attack vector. TrapX believe (signup required):
“there are many other devices that present targets for MEDJACK. This includes diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment (heart – lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and much more.”
The report goes onto explain that many of the medical devices being exploited are closed system devices, running out-of-date operating systems such as Windows 2000, or Windows XP. The operating systems are often modified, and full of security holes, presenting a massive vulnerability in any hospital’s network. In most cases, the medical staff using and deploying these devices have no access to the internal workings, meaning they have a total reliance on manufacturers to install up-to-date and resilient security walls – and it currently isn’t happening.
It isn’t limited to a few hospitals, either. With a variety of manufacturers supplying massive ranges of equipment to medical facilities across the globe, it is difficult to pinpoint exactly where the next vulnerability will be exposed.
For instance, when the FDA released a recommendation for manufacturers to tighten security on medical equipment, the Department of Homeland Security (DHS) revealed their ongoing investigation into 24 cases of suspected cybersecurity flaws, including “an infusion pump from Hospira Inc. and implantable heart devices from Medtronic Inc. and St Jude Medical Inc.”
The DHS investigation continues.
Medical Records Sales
While not as life-threatening as hijacked medical apparatus, private medical records are increasingly being sold to data-mining companies, sometimes along with zip codes to make the data more useful, and therefore more valuable.
However, once the data has left the medical facility, it increases the chances for your information to fall into nefarious hands. As early as August 2013, as many as 11 health agencies had begun or already had data collection policy reviews underway, including how the data sale process occurs, and what responsibilities should be implemented for the data-mining companies.
Marc Probst, chief information officer at Intermountain Healthcare, Salt Lake City, states “The only reason to buy that data is so they can fraudulently bill” the respective medical records in the hope someone panics, and pays up. This fraudulent use of medical records, (along with medical records being pilfered in the first place, lax security found throughout countless facilities, and ongoing efforts to provide better overall cybersecurity to the entire healthcare industry) is one of the many costs being handed directly to American citizens through their healthcare premium.
Can You Stop It?
Unfortunately, in the case of digitized medical records held directly by a healthcare provider – we can’t do much about this.
Your provider holds your data, and even if you request a copy (which can be relatively expensive), your provider is highly unlikely to delete your records on a whim. Who knows when you might be rushed into the ER, only to find they have no medical information relating to your penicillin allergy.
One proactive measure is to setup an alert system with DataLossDB.org, a catchall website detailing as many data breaches as possible. Another mitigation strategy might include monitoring your credit report – but this usually incurs a monthly fee. Nonetheless, you’d certainly notice if your rating took a nosedive, and might catch it before it became irretrievable. If you notice anything particularly nefarious, and catch it in time, you can issue a fraud alert, blocking any new credit requests or accounts being opened in your name for 90 days.
It is difficult to be as proactive with medical record security as you are with your banking details, but that doesn’t mean you have to sit back and wait.
Worried about healthcare fraud? Have you had your medical records stolen? Or what security practices do you have in place? Let us know below!