Slashdot Mirror
Medical Records Worth More To Hackers Than Credit Cards
HughPickens.com writes Reuters reports that your medical information, including names, birth dates, policy numbers, diagnosis codes and billing information, is worth 10 times more than your credit card number on the black market. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations. Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, says Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information. Plus "healthcare providers and hospitals are just some of the easiest networks to break into," says Jeff Horne. "When I've looked at hospitals, and when I've talked to other people inside of a breach, they are using very old legacy systems — Windows systems that are 10 plus years old that have not seen a patch."
won't keep the hackers at bay?
Over the years I can think of many times we've received a call from our credit card companies to "report suspicious activity". Sometimes it's annoying (yes, we are travelling, please don't cancel our card) but other times it's saved us thousands of dollars.
I personally cannot think of anyone who has gotten a call from medical establishment to report "suspicious activity" or any other kind of "fraud alert", but perhaps others have? If not, the fact that credit card companies respond to these would make them less profitable activity than defrauding companies that don't alert or respond.
Gently reply
Mac OS 1-8, and to some extent 9, kept remote hackers away. Largely due to missing functionality, it was considered the most secure platform at the time.
You had me at HIPAA, lost me at Obamacare. Wouldn't new regulations been a perfect time to upgrade those legacy systems? It would have been a perfect time to blame increase costs on "more computerization". Insurance companies already blamed increase rates on Obamacare, why not just tack on the extra upgrades.
This is even scarier if you have any familiarity with how most hospital records and/or IT departments are run.
There is at least two ways to look at this issue.
A. Using stolen health information is very lucrative due to the lack of security.
B. Using stolen credit card information has become a lot less lucrative due to the increased security used by credit card companies.
I suspect a little from column A and a little from column B.
> other times it's saved the credit card company thousands of dollars.
FTFY. Although it is possible that if it was caught in time then it saved the merchant thousands of dollars.
But whatever the case, it definitely didn't save you thousands of dollars. Federal law makes your liability a maximum of $50 (unlike debit cards where losses are only limited by bank policy and subject to the whims of your bank manager).
I don't disagree that it has problems but, lets not pretend that things were better without it. I worked for several years in healthcare IT. I was there when we started encrypting our laptops by policy.... it was because of HIPAA. Prior to that, there were no exceptions.
A good part of the problem is that hospitals grew up doing their own systems support for medical devices and tried to grow IT out of that, and they tend to be non-profits that budget their departments like universities do. Its a huge mess.
They just never cared about security because they built up their entire system for a single purpose of providing medical care, they were so focused on that the idea that they were exposing themselves was an afterthought, security has always been an afterthought in the the industry that brought us the word "triage"
"I opened my eyes, and everything went dark again"
HIPAA is all about PROTECTING your information. Blame your local management for ignoring HIPAA requirements and choosing a cheaper, less secure alternative.
Because under US law, credit card companies are liable for the cost of credit card fraud above a nominal amount, they have strong incentives to continuously search for and attempt to block fraudulent transactions. I don't think there is any comparable legal driver that forces health providers to bear the financial cost of similar fraud from patient info loss, nor are they necessarily "in-line" to see the exploitation of information stolen from them. Moreover, the health care industry sees their mission as serving patients and collecting all the money they can get for that, not as guarding IT systems from compromise. We should not be surprised that no hospital calls to tell us about suspicious use of our patient info.
Against stupidity, the Gods themselves contend in vain. --Friederich Schiller
Hospital networks rarely encrypt patient health information once on the intranet. My personal experience has revealed a sore lack of anti-virus and security, where the only consistently encrypted data is email. The software used sometimes does not support encryption, and the hardware - which is prohibitive to acquire, is used to its utmost maximum (15 years!) and is rarely upgraded. HL7 and DICOM protocols are ancient and yet prevalent for a reason - an FDA stranglehold on software and clinical devices, as well as their prohibitive cost pose a complex challenge to hospitals.
The merchants are responsible for eating the costs. Merchants are also liable for chargebacks.
There you go -- there is tremendous incentive to run very old versions of software and the OS on account of the cumbersome FDA approval process.
If Medicare practiced fraud/risk control energy marginally as will as the payments industry, they could cut fraudulent claims by 70%.
- Does the zip code you are shipping durable equipment to when remotely match the patient's residence? If not, just a phone call might work to confirm the transaction.
- Does the durable equipment have use for any Diagnostic code used my the patient in past?
There are other triggers that could help.
deleting the extra space after periods so i can stay relevant, yeah.
....monitoring underground exchanges..
Sounds like a cheap spy novel.
“He’s not deformed, he’s just drunk!”
Wondering if all the hospital networks are already compromised beyond repair. If the doctors use same passwords for their hospital account as well as their personal account, they too would be very vulnerable. Some of the doctors I know are surgeons who would wield a scalpel with great confidence and would think it is routine to make a 20 cm long incision across the stomach. But are scared of the stupid computer and were mortally afraid of changing the password, or the default screen saver.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
it has only been a few years that co-pays and co-insurance got to the point where you are liable for a lot of doctor visits. 10 years ago most people wouldn't care if someone was running up medical bills under their name since they wouldn't be responsible for a dime.
unlike credit cards where you have to fill out the fraud form or pay up
Even with the turn of the millennia, the vast majority of hospital systems still run on HL7 (Health Level 7) and MUMPS (Massachusetts General Hospital Utility Multi-Programming System aka "M").
HL7 isn't just a standard, but it also describes a protocol used for transmitting patient data which is laughably insecure in the state it was in when I last worked on it in the late 90's. Plain text, no validation, fire/forget, no encryption, no well, no nothing
MUMPS, or M if you prefer, is a programming language designed by the NSA (it must have been, lol, actually it was designed by a couple of Dr's), every variable is global in nature - so if you have an admin token ADMIN, you can set that value anywhere in the running system and it won't care one bit. Rooting M systems is simply a matter of access and knowledge of M.
Oddly, in M, you can also use shorthand, so i == if (IIRC), and it's contextual, so where in a line a value appears determines the values type, so i i i is a valid statement, where each i references a completely different variable/value/object. Insanity at it's best. Here is a great mumps tutorial for those of you that aren't familiar & for those of you who only know "modern" languages, it's a timely Halloween horror show...
1) If you don't get certain very expensive medical care, you DIE. So if you can't afford it you, you are likely to consider stealing someone else's medical insurance. Death makes people consider doing things they wouldn't otherwise do.
2) Many patients with health issues have a lot more important things to think about than finances. Or worse, the patient might be dead, so they can't complain against the charges.
3) Many providers actively avoid talking about finances. Not only do they know about point 2 above, but they also fear that if they talk too much about the finances, you will realize how badly they are screwing you over and might actually look for reasonably prices services.
So when you steal the Identity of a patient with serious medical problems, there is an inbuilt set of honest people willing to buy the information you stole, the victims may not be in the best shape to investigate, and no one else wants to look to deeply into it.
excitingthingstodo.blogspot.com
I actually got a letter from a dentist saying that their office was broken into and medical records taken. I believe that's a HIPAA requirement.
http://www.utsandiego.com/news...
This goes back 2 years, but just hit the news wires today:
LA JOLLA — UC San Diego has been targeted by a series of cyber attackers seeking access to sensitive research and other data since 2012 and officials say the so-called advanced persistent threat has prompted the campus to take steps to bolster its security.
The initial security breach, detected in June 2012, involved the use of stolen passwords by hackers targeting computer servers. University information technology security director John Denune said that no work was lost and no critical research data was accessed.
"The only reason to buy that data is so they can fraudulently bill," Probst said.
Uh, what? You don't think having access to the birthdate, employer, SSN, address and medical history has any use other than fraudulent billing? Good thing he is in the medical field so he can get a CT scan of his navel. Apparently this "CIO" doesn't understand the value of the data he is supposed to be keeping safe.
This is all the more reason to NOT give healthcare providers your SSN, and to insist that insurance companies use a different customer ID.
Good points. Nonetheless, the credit card issuers still have an incentive to minimize fraud, if only to avoid the hassle of fighting with the merchants over who's to blame for the loss and how much they are liable for. They would much rather enjoy wallowing in the usurious interest rates and substantial transaction fees they charge than spend time in court with the merchants.
Against stupidity, the Gods themselves contend in vain. --Friederich Schiller
You missed the point that the money is simply not there in most cases. Most of this healthcare data comes from small doctors offices with "IT" being provided by the likes of Geek Squad. A lot of the $$ effort has been poured down the new regulations, including ICD-10 and ACA (Obamacare). Also, one of the biggest security disasters of the ACA is the edge server for insurance companies reporting all claims data to the federal government (CMS). The original requirements were as poorly executed as you can imagine a lazy government IT person could come up with. This whole industry is full of people who are in fear of change and very poor business people. Doctors are some of the worst when it comes to spending on IT. If they spend $20k on a server and $100k on software they expect it to last forever and never change.
What about debit cards that can be used like credit cards? What's the liability on those. My bank recently made a change and now all debit cards that are issued are Visa debit cards that have a valid Visa number, expiry date, and CCV/CSC and can be used in place of a credit card for online transactions, except that the money is pulled directly from my checking account. I really don't like this feature, but all their cards are like that now.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I wish to stick my fetid penis deep into the optical drive of your roommate's aunt's laptop. What say you? What say him? What say her?
What about debit cards that can be used like credit cards? What's the liability on those.
It's a debit card. The fact you can use it to pay for something at the checkout doesn't make it a credit card. There is no credit involved.
except that the money is pulled directly from my checking account. I really don't like this feature, but all their cards are like that now.
All debit cards are like that. And that's why even if your card issuer promises low liabilities for lost or stolen cards, you may have an empty checking account for the entire time it takes to resolve the problem. Compare that to a credit card where the issuer is prohibited by law from acting on any charge that you are disputing.
Did you actually read that story?
"Usually, however, it is the banks that get hurt the most."
Bottom line (and there are exceptions), merchants aren't on the hook if it's a face-to-face transaction. If it's an online transaction, the merchant usually does end up liable.
So much of health provider's budgets have been consumed in the past ten years by HIPAA and Obamacare they didn't have any money left over to upgrade those "old legacy systems".
Right...., 'cause the security requirement imposed by HIPAA compliance are such a frivolous waste of money. [/dripping sarcasm]
Doing it right is more expensive than not doing it right, regardless of the business driver. Get over it.
HL7 and X12 remain prevalent for a reason: the only replacements anyone has proposed are verbose XML structures that are exactly the same but in XML for maximum ENTERPRISE QUALITY .
Enjoy your slightly incompatible Java and .net implementations, and your completely incompatible implementation for every other programming language. Don't forget to increase -XmxMemWTFBBQ to at least 2GB.
The problem is that HIPAA has no teeth. At best, hospitals might pay lip service, or use it as a way to bamboozle patients, "sorry, we can't tell you your status, HIPAA prevents us from doing so", along the lines of the "consultants" who said that only Microsoft was "Sarbanes-Oxley compliant."
Lets be real... there has been a few minor slaps on the wrist, but even for major violations (all health, financial, and personal records of patients now sitting in pastebin or available as a torrent), there has been no cases of people actually going to jail.
Between useless legislation that is not enforced and the "security is no ROI" paradigm, any data entered in should be assumed that it will become public. Talk to a shrink in some places? Expect the transcript to be laughed over on 4-chan in /b/.
What the what?
HL7 is a data format. You can encrypt the hell out of it if you want.
Don't have the reference to hand, but any medical organization should have stopped using your SSN years ago.
If you think that a bill piling expensive requirements on an industry is the perfect excuse to pile more expenses on that industry, then you may have a promising career ahead of you in Congress.
The Daddy casts sleep on the Baby. The Baby resists!
Then please explain why the single most common reason for a person to be fired from the entire network of hospitals I worked for was inappropriate records access? Perhaps you would like to tell me why one of the major projects then was to move from offline records access auditing to real time auditing and flagging?
Perhaps you might have some insight into how it failed by causing us to start encrypting all of our laptops? \
The problem with healthcare is momentum. Its huge, there is a lot of it, and its highly federated and highly disorganized.In fact its often less a case of "we don't care" and more a case that they tend to be in over their heads keeping up with the infrastructure they have and the way its growing, and balk at allocating more resources to IT, since it already has eaten up more than they naively expected.
I have had to watch entire presentations that boil down to "we want to generate terabytes of data at an alarming rate and we don't see why it should cost very much based on just ignoring any other costs and looking at hard drive prices"
Seriously, the disconnect in healthcare is serious, and I agree the law is only somewhat helping but.... fact is the institutions really are scared of the penalties and those penalties really do trump their other considerations many times.
Its not perfect, but, on the security front, I have to say, I really think nearly all forward progress on security in healthcare can be directly attributed to it. I mean, I can think of a few minor exceptions like.... general concern about certain rare but frightening events like baby swaps or thefts that caused a good bit of increased security around birthing areas, but aside from that, I can't think of much that wasn't directly HIPAA requirement driven.
"I opened my eyes, and everything went dark again"
Did you actually read that story?
Yes, so let me explain:
Bottom line (and there are exceptions), merchants aren't on the hook if it's a face-to-face transaction.
Nope! Read on to see why:
Usually, however, it is the banks that get hurt the most.
And how do they get hurt? In that quote, the word "banks" links to a BusinessWeek article that explains:
issuing banks are shifting the expense of fraudulent face-to-face transactions to retailers. One reason: complaints that the buyer's signature didn't match the one on the card. These "charge-backs" drive up retailers' costs, which are ultimately passed along to the consumer, says Mallory Duncan, the NRF's general counsel.
So the law says the credit card holder isn't liable. The CC company says they aren't liable, the bank is. But since the retailer is responsible for verifying the signature, they were at fault. Notice that it specifically says that in face-to-face transactions the retailer is responsible.
I'm unclear why the BusinessWeek article says "shifting" since this was the way things were back in 1996 when I worked retail. This isn't new.
I have 2 stories on this: One: in the brief time I worker retail I worked at a store that actually checked this. Your photo ID + name on card + signature had to match. We even turned away corporate customers making big purchases because sometimes the boss would give an employee their Amex business card, but we wouldn't let them make the purchase. I know the store manager got chewed-out by some business people for enforcing it and they always stood their ground.
The other example was when I was at a retailer and I got asked for me photo ID. I thanked the manager in person for having the employee check, but was told that the employee would now get in trouble because they aren't allowed to ask!
What about debit cards that can be used like credit cards? What's the liability on those. My bank recently made a change and now all debit cards that are issued are Visa debit cards that have a valid Visa number, expiry date, and CCV/CSC and can be used in place of a credit card for online transactions, except that the money is pulled directly from my checking account. I really don't like this feature, but all their cards are like that now.
When you swipe a card, the merchant asks "Debit or credit?" if it's run as credit (often requiring a signature), then your liability is the same as a credit card. If you answered "debit" and provided a PIN, then your liability is the same as any other debit card.
Another poster correctly pointed out that the money is directly pulled from your checking account, so you will be minus that money while disputing the charges.
You had me at HIPAA, lost me at Obamacare. Wouldn't new regulations been a perfect time to upgrade those legacy systems?
HIPAA doesn't require secure systems. It requires completed checklists. As long as the legacy systems pass the checklist, why replace them?
1. You did not post a complete sentence.
2. The proper spelling is "morons" not "morans"!
3. You emphasized your dim whit by using a common vulgarity when a truly creative person could have constructed a far more entertaining insult. You did not even think to use one of the numerous Shakespeare insult generators on the web. You get zero points for creativity and zero for effort. Common expletives, which used to draw points for "shock value", are now so common among the low-brow that they no longer pack a literary punch.
If you want a career as a "grammar NAZI" you need to be at least minimally capable ;-)
"When I've looked at hospitals, and when I've talked to other people inside of a breach, they are using very old legacy systems — Windows systems that are 10 plus years old that have not seen a patch."
No surprise there; that's about how long it takes to process all the paper work (mostly due to HIPAA) to get a new system approved for use inside a hospital. The new Windows 8 purchases should be coming online sometime around 2024.
If you want to install a patch, the approval process starts all over from scratch ...
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
on "the Republicans" no matter who is responsible because you seem to think people are stupid enough to believe you.
You are a toxic, dishonest, troll.
Obamacare MANDATES the transition of all medical records to electronic froms. Given that Obamacare was created by Democrats and their lawyers and lobbyists behind closed AND LOCKED doors (Republicans had NO input and were not even allowed into the negotiations, and were later even denied a list of the names of the participants - so we the public will never know which special interests got what, and in exchange for what) there is no POSSIBLE way to blame this on the Republicans
Now, go crawl back up the chicken posterior you fell from.
Federal law makes your liability a maximum of $50
That is only true if you dispute a fraudulent charge in writing within sixty days of the charge. If you don't notice an odd $20 recurring charge, you are screwed out of all but the last two charges. Also if your credit card is stolen, the $50 limit only applies to charges made in the first 48 hours after the theft.
The IT in medical has a long standing history of dragging feet to updates... The government has a long standing history of IT dragging feet to updates... Government + Medical == Windows CE ME NT. Name that organization!
In the articles you cite, it's clear, in a face-to-face transaction, unless there's evidence that the merchant failed to observe the security protocols (i.e. the signatures clearly don't match), the bank eats the cost. The article notes that the banks have been tightening up, and not cutting vendors as much slack as to whether they observed the security protocols or not. That said, it's clear from both articles that, in face-to-face transactions, the bank eats the majority of the costs of fraud. Not so in an online transaction.
As for your experience with photo ID, the employee should be in trouble, at least if it was Visa or MC. The merchant agreement prohibits requiring ID. You can ask for it, but if the customer doesn't want to provide it, you can't make it a condition of completing the transaction.
Or President. The latest congress has wimped out on standing up to their rights & responsibilities under the Constitution. Thus, the Imperial Presidency now writes regulations beyond its powers without fear of any backlash. See EPA (Climate Change regs, regardless of how you feel about the issue), USDA (See recent Forest Service article), TSA, DHS, etc for more examples.
When you swipe a card, the merchant asks "Debit or credit?" if it's run as credit (often requiring a signature), then your liability is the same as a credit card.
I don't think that's true, if for no other reason than it doesn't make any sense. You have no control over what kind of transactions a thief does with your stolen debit card number.
Another poster correctly pointed out that the money is directly pulled from your checking account, so you will be minus that money while disputing the charges.
Which leads to hidden charges that you will never recover - specifically the fees that you are charged when your checks bounce. Your bank will probably refund you any NSF fees they charge you, but the other end of the transaction (mortgage/rent, auto loan, etc) certainly won't.
That is only true if you dispute a fraudulent charge in writing within sixty days of the charge. If you don't notice an odd $20 recurring charge, you are screwed out of all but the last two charges. Also if your credit card is stolen, the $50 limit only applies to charges made in the first 48 hours after the theft.
You have confused the rules for debit cards with the rules for credit cards. Maximum liability in all cases for credit cards is $50.
I'm going to guess here, but what probably happened was a computer was stolen because it was a computer and the records happened to be on the computer and weren't the target of the theft and were probably never used for nefarious purposes.
I think Mumps or M is great. Plenty of rope and runs like grease lightning (feels like it's running on the metal instead of a bloated runtime).
also lot's of 3rd party vendors Some systems are even are setup up with updates not allowed.
You can swipe your debt card as credit all you like. Once the merchant processes the order (credit charges go through in middle of the night) you are still ass out of money in your checking account because you swiped that card. Have fun fighting for your money back. Much easier to talk with a credit card company's fraud division to get charges taken off.
Also, your credit card filling up is nothing compared to your bank account going empty.
But hey, go ahead and talk about your "rights" all you want. I'll just be diligent and limit my losses whenever possible.
There were computerization upgrade requirements. Some near-retirement Republican doctors used it as an excuse to shut down their practice because they were still keeping everything in a filing cabinet and a win95 appointment tracking software.
It's a debit card. The fact you can use it to pay for something at the checkout doesn't make it a credit card. There is no credit involved.
It's both. You have the option to use it as a credit card:
"When you sign for your purchases, you get security protections that help prevent, detect and resolve fraud. Many rewards programs also require you to sign to collect rewards points. However, if you PIN for your Visa Debit card transactions, you may not receive the same security protections for Visa Debit card transactions not processed by Visa."
Depends where you are in the world.
UK banks have almost all signed into a debit card agreement which gives the same protections as credit cards.
Card fraud doesn't cost you of the bank anything. The merchants are left holding the bag (lost merchandise AND money) and often collect horrific extra fees from Visa et al on top.
"Bottom line (and there are exceptions), merchants aren't on the hook if it's a face-to-face transaction."
As a merchant, I've experienced what happens on a disputed face-to-face transaction:
It gets reversed and charged the same as card not present fraud.
It's one of the reasons I installed a video surveillance system at the point of sale.
"As for your experience with photo ID, the employee should be in trouble, at least if it was Visa or MC. The merchant agreement prohibits requiring ID. You can ask for it, but if the customer doesn't want to provide it, you can't make it a condition of completing the transaction."
A good lawyer can (and will) trivially argue that this policy facilitates fraud and therefore invalidates any blame the merchant might be taking.
To which Visa/MC will simply respond that they no longer want to do business with the merchant.
Because under US law, credit card companies are liable for the cost of credit card fraud above a nominal amount, they have strong incentives to continuously search for and attempt to block fraudulent transactions. I don't think there is any comparable legal driver that forces health providers to bear the financial cost of similar fraud from patient info loss, nor are they necessarily "in-line" to see the exploitation of information stolen from them. ...
Perhaps the significant difference here is that, with credit cards, the main usage is bogus charges that have an immediate monetary value. With the medical information, there's no specific dollar amount that's been "stolen"; the value is in who's willing to buy the information. This doesn't result in any specific charge against the medical corporation or the patient, so the financial system considers its value to be zero.
This is also what might make it difficult to fight. You can't just say that the medical corporation is responsible for an charges over $50, because there are no such charges in the patient's name. The only effective way of fighting the problem will involve the (mis)use of the medical data.
I've seen this comment from some Scandinavian sources, to explain an interesting curiosity: In recent decades, a lot of medical "advances" have come from Scandinavia, and what they've mostly had in common is that they started with study of accumulated medical records, what the statistics folks (including my wife ;-) call "data dredging". This has turned up all sorts of interesting correlations. Now, we can cue the "Correlation is not causation" mantra here, but in fact such correlations are often pointers to useful research, as people try to explain them.
The interesting part of this is the explanation of why this data dredging happens so much in Scandinavia. The explanation seems to be that the governments there didn't try to make the medical records very secret. Rather, they imposed serious financial repercussions to "misuse" of the data. Thus, here in the US, expensive medical problems (e.g., a positive HIV test) typically result in loss of job and permanent unemployment. In Scandinavia, firing an employee because of expensive medical problems can result in serious fines against the employer. So employers have an incentive to find good medical help for employees instead of firing them. (The fact that medical services aren't charged to employers also helps.)
I haven't seen much discussion of this outside of Scandinavian sources, though, and there might be a lot more going on. But there is definitely a problem in the US, where medical data is a valuable commodity that can be used for all sorts of anti-social (and anti-individual) purposes for profit. But the medical industry doesn't suffer when this happens, so they have little incentive to "waste" resources preventing it.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
The solution is simple, just never authorize to receive a PIN number and the card can only be used as a credit card!
My karma is bad. Don't get too close!!!