Home / Cyber Security / Compromised electronic health records may haunt you forever
doctor2.jpg

Compromised electronic health records may haunt you forever

A recent report on the Deep Web black market for electronic health records (EHRs) by researchers affiliated with the Institute for Critical Infrastructure Technology has pointed out what most of us already know: healthcare systems are relentlessly and incessantly attacked by different types of attackers.

“Vulnerable legacy systems and devices that lack the ability to update and patch are Frankensteined into networks possessing newer technologies that can be updated and patched. As a result, the organization’s IoT microcosm becomes collectively vulnerable as effective layers of security cannot be properly implemented,” the analysts noted.

“Without the input of cyber risk management professionals and without comprehensive oversight, they will continue to make socially negligent decisions that gamble the electronic health information of United States citizens between antiquated security, insufficient fiscal and regulatory penalties, and the fingertips of tantalized insatiable adversaries.”

EHR compromise severely impacts victims

By now, we also realized that the risk and impact of compromise of EHRs is usually and mostly shifted to us (the patients). But what most still don’t recognize is that if our EHRs get compromised just once, and sold repeatedly all over the Dark Web, we’ll likely have problems for the rest of our lives.

Information that is contained in those records can be used for many different types of fraud and attacks, such as medical identity theft, submission of false claims, acquisition of controlled and prescription substances, and obtainment of medical devices.

“The medical identity theft that occurs as a result of the compromise of EHRs from healthcare organizations and the distribution of EHRs on Deep Web markets and forums financially devastates most victims and in some cases, presents a critical risk to their physical health,” the researchers say.

For example, a thief may use a stolen medical identity so that the doesn’t have to pay for care at a hospital, but this information can be added to the record, and may turn out to interfere severely with future medical care of the person whose medical identity has been stolen. Patients, unfortunately, don’t have access to their records and can’t spot these things.

Another problem is that there are still no legal protections for medical identity theft victims.

“Stopping the damage, disputing the charges, and correcting the record can consume all of a victim’s time and energy,” the researchers noted, adding that “even if the victim learns of the compromise before the information is exploited, remediation can still cost over $1,500 in fees and consume their free time for up to five years.”

But the list of dangers doesn’t stop there – criminals can also create fake identities, perpetrate tax fraud, access government benefits, or try to extort patients (if the stolen information is sensitive enough for patients not to wish it being divulged publicly).

Finally, the researchers note, the stolen records can be weaponized against the nation in espionage databases, as it likely will happen with the data stolen in the OPM hack when, among other data, health information about US government, defense and intelligence employees was compromised.

“Due to the longevity of the [electronic health] record, adversaries may continue to exchange and exploit the compromised information for the rest of the victim’s life. For some, such as children, this can drastically hinder their future financial stability and limit the potential lives that they could lead,” the researchers concluded.

“Criminals aggressively pursue children’s health records because the data has a long lifetime and because the compromise may go unnoticed for years. Children are often not notified when their data is breached as part of a parent’s record. Parents do not tend to examine a minor’s credit report, and fraud that appears as unpaid debt may go unnoticed until the child matures into adulthood.”

ICIT is scheduled to deliver a briefing on the findings of this paper at the United States Senate later this month.

About admin

mm

Check Also

android-ui-feedback-loop.jpg

New class of attacks affects all Android versions

Researchers have demonstrated how a malicious app with two specific permission can stealthily compromise users’ ...

2 comments

  1. Your story is interesting but completely lacking in any credibility. There are no references to any specific reports, studies, discussions are any actual facts. At this time in my career as an engineer I am no longer doing development on health records management systems, but I was a lead development engineer and then later head of sustaining engineering for a company that was absorbed into the fold of IBM. To paraphrase William Shakespeare’s “How do I love thee” sonnet, “how do I pick this apart let me count the ways”. What elements of health records management are you referring to HIPA, distribution, user access, client access, storage management, disaster recovery management, comparative record access, record loss etc etc etc. I could spend the better of the upcoming year doing tiny overview of the electronic medical record management and come up some actual substantive issue that are of concern. In just a short search in my old journals and in a sketchy look at active industry journals, it is not terribly hard to come up with some ACTUAL quantifiable information that is of relevance to this REAL issue. Considering that I work in this area as a development engineer, data architect and planner, I made the foolish assumption that you and yours had something of relevance to say. If this is the state of a SO CALLED industry group then the industry is in a very sad state. Then again before and after my days with IBM, I had never come across any reference to your organization and neither had any of my colleagues. I find it interesting that my colleagues in HP have never heard of you either.

    • A note to add, after leaving IBM, I joined CA as a senior development architect for secure TCP/IP stacks for UNIX and OS390 mainframe. So if I decided to write a book on an overview of security issues regarding records management, I feel my credentials are definitely are in order. Now in regards to journals, studies, guidelines, books and standards, I regularly review what is of relevance. Oddly enough my old colleagues at IBM and CA are not in the know for your particular bit of intelligence information. I sent a copy of “Enquirer” article to those on my distribution list and you would enjoy a significant part of the responses as to the significance and relevancy of your article. I would be glad to refer you to the various agencies in Canada, United States, France, Germany, Australia and the UK that actually track this type of data

Leave a Reply

Your email address will not be published. Required fields are marked *