A recent report on the Deep Web black market for electronic health records (EHRs) by researchers affiliated with the Institute for Critical Infrastructure Technology has pointed out what most of us already know: healthcare systems are relentlessly and incessantly attacked by different types of attackers.
“Vulnerable legacy systems and devices that lack the ability to update and patch are Frankensteined into networks possessing newer technologies that can be updated and patched. As a result, the organization’s IoT microcosm becomes collectively vulnerable as effective layers of security cannot be properly implemented,” the analysts noted.
“Without the input of cyber risk management professionals and without comprehensive oversight, they will continue to make socially negligent decisions that gamble the electronic health information of United States citizens between antiquated security, insufficient fiscal and regulatory penalties, and the fingertips of tantalized insatiable adversaries.”
EHR compromise severely impacts victims
By now, we also realized that the risk and impact of compromise of EHRs is usually and mostly shifted to us (the patients). But what most still don’t recognize is that if our EHRs get compromised just once, and sold repeatedly all over the Dark Web, we’ll likely have problems for the rest of our lives.
Information that is contained in those records can be used for many different types of fraud and attacks, such as medical identity theft, submission of false claims, acquisition of controlled and prescription substances, and obtainment of medical devices.
“The medical identity theft that occurs as a result of the compromise of EHRs from healthcare organizations and the distribution of EHRs on Deep Web markets and forums financially devastates most victims and in some cases, presents a critical risk to their physical health,” the researchers say.
For example, a thief may use a stolen medical identity so that the doesn’t have to pay for care at a hospital, but this information can be added to the record, and may turn out to interfere severely with future medical care of the person whose medical identity has been stolen. Patients, unfortunately, don’t have access to their records and can’t spot these things.
Another problem is that there are still no legal protections for medical identity theft victims.
“Stopping the damage, disputing the charges, and correcting the record can consume all of a victim’s time and energy,” the researchers noted, adding that “even if the victim learns of the compromise before the information is exploited, remediation can still cost over $1,500 in fees and consume their free time for up to five years.”
But the list of dangers doesn’t stop there – criminals can also create fake identities, perpetrate tax fraud, access government benefits, or try to extort patients (if the stolen information is sensitive enough for patients not to wish it being divulged publicly).
Finally, the researchers note, the stolen records can be weaponized against the nation in espionage databases, as it likely will happen with the data stolen in the OPM hack when, among other data, health information about US government, defense and intelligence employees was compromised.
“Due to the longevity of the [electronic health] record, adversaries may continue to exchange and exploit the compromised information for the rest of the victim’s life. For some, such as children, this can drastically hinder their future financial stability and limit the potential lives that they could lead,” the researchers concluded.
“Criminals aggressively pursue children’s health records because the data has a long lifetime and because the compromise may go unnoticed for years. Children are often not notified when their data is breached as part of a parent’s record. Parents do not tend to examine a minor’s credit report, and fraud that appears as unpaid debt may go unnoticed until the child matures into adulthood.”
ICIT is scheduled to deliver a briefing on the findings of this paper at the United States Senate later this month.