Is Medical Cybercrime the "Next Frontier" for Hackers?
Posted Aug 23 2012 12:00am
I hadn't really thought about the topic but it seems to me a natural that computer hackers might seek to break into hospital EMRs and hold the information "hostage" for some sort of bribe. Apparently this is a known problem according to an article in Fast Company (see: Medical Cybercrime: The Next Frontier ). Below is an excerpt from the story. You might want to link to the original story for many more details:
Eastern European gangs stealing computer files with Americans' health insurance information for resale? Remotely hacking insulin pumps to kill patients? A look inside the scary and shockingly unsophisticated world of medical cybercrime. The idea of hackers holding electronic medical records for ransom sounds like the stuff of a final Die Hard installment. But medical hacking and biomedical fraud are growing areas of concern for the healthcare industry... and for Americans receiving medical care. Although only a few isolated cases have been spotted, the ease with which they can be committed should give are alarming.In late July, an interesting story came out of Chicago's suburbs: Hackers broke into a small medical practice's server, encrypted patients' electronic medical records (EMRs) and emails, and demanded a ransom. Instead of paying a random, the n turned the server off and called police. It is not known whether the hackers who targeted the Surgeons of Lake County also extorted other businesses--but federal-mandated HIPAA records indicate 37 hospitals and doctors' offices nationwide have been hacked since 2009, resulting in the theft or damage of patients' medical records. The HIPAA records do not count hacks in which less than 500 patients' information was stolen or damaged, or cases in which only credit card or checking account was stolen. In addition, they only count voluntary disclosures of successful hacking attacks. Due to these restrictions, the true number of hospitals targeted is likely higher.
I have a feeling that this is may be a bigger problem than we appreciate and that instances of medical cybercrime perhaps have been hushed up for the following reasons. First, hospitals would not want to publicly admit that their patients' medical records are under the control of criminals. Secondly, like other businesses, they would not want to admit that their records have been so insecure as to have allowed this to happen.
All of this raises another Interesting question. If you were a hacker and had illegal access to a hospital records, what would be the nature of your threat to the hospital executives? In other words, what is the "either-or" proposition you would make. For example, would the threat be to post all of the records in an open file. Whatever the threat, it did not seem to be sufficient to deter the officials of Surgeons of Lake County from informing the police that their records had been hacked.
Probably a more compelling motive for medical cybercrime, as noted in the article cited above, is selling the purloined information to third parties. For example, Medicare ID numbers could be used to generate false bills and generate revenue. In retrospect, the demand for a ransom has an amateurish ring. Hardened criminals would hardly want to negotiate with the organizations that were responsible the medical records. It might provide a path for their identification although most would probably be in Russia or the Ukraine.