Medical Records Worth More To Hackers Than Credit Cards

HughPickens.com writes Reuters reports that your medical information, including names, birth dates, policy numbers, diagnosis codes and billing information, is worth 10 times more than your credit card number on the black market. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations. Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, says Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information. Plus "healthcare providers and hospitals are just some of the easiest networks to break into," says Jeff Horne. "When I've looked at hospitals, and when I've talked to other people inside of a breach, they are using very old legacy systems — Windows systems that are 10 plus years old that have not seen a patch."

Calls from Credit Cards on "Suspicious Activity"

[retroworks]

Over the years I can think of many times we've received a call from our credit card companies to "report suspicious activity". Sometimes it's annoying (yes, we are travelling, please don't cancel our card) but other times it's saved us thousands of dollars.

I personally cannot think of anyone who has gotten a call from medical establishment to report "suspicious activity" or any other kind of "fraud alert", but perhaps others have? If not, the fact that credit card companies respond to these would make them less profitable activity than defrauding companies that don't alert or respond.

Re:Ironically, blame HIPAA

[fldsofglry]

You had me at HIPAA, lost me at Obamacare. Wouldn't new regulations been a perfect time to upgrade those legacy systems? It would have been a perfect time to blame increase costs on "more computerization". Insurance companies already blamed increase rates on Obamacare, why not just tack on the extra upgrades.

Hospital networks are very vulnerable.

[140Mandak262Jamuna]

I have sat in many consulting rooms and examination rooms in the hospitals, with a lone pizza box computer with WindowsNT or Windows64 screen saver. All alone, the computer, its ports all freely available for me to plug anything I wanted, even spare RJ-45 ethernet ports next to it for me to plug in anything I wanted. It would be trivially simple to plug in an USB keylogger dongle to the back USB port.

Wondering if all the hospital networks are already compromised beyond repair. If the doctors use same passwords for their hospital account as well as their personal account, they too would be very vulnerable. Some of the doctors I know are surgeons who would wield a scalpel with great confidence and would think it is routine to make a 20 cm long incision across the stomach. But are scared of the stupid computer and were mortally afraid of changing the password, or the default screen saver.

HL7 & MUMPS

[James-NSC]

Even with the turn of the millennia, the vast majority of hospital systems still run on HL7 (Health Level 7) and MUMPS (Massachusetts General Hospital Utility Multi-Programming System aka "M").

HL7 isn't just a standard, but it also describes a protocol used for transmitting patient data which is laughably insecure in the state it was in when I last worked on it in the late 90's. Plain text, no validation, fire/forget, no encryption, no well, no nothing

MUMPS, or M if you prefer, is a programming language designed by the NSA (it must have been, lol, actually it was designed by a couple of Dr's), every variable is global in nature - so if you have an admin token ADMIN, you can set that value anywhere in the running system and it won't care one bit. Rooting M systems is simply a matter of access and knowledge of M.

Oddly, in M, you can also use shorthand, so i == if (IIRC), and it's contextual, so where in a line a value appears determines the values type, so i i i is a valid statement, where each i references a completely different variable/value/object. Insanity at it's best. Here is a great mumps tutorial for those of you that aren't familiar & for those of you who only know "modern" languages, it's a timely Halloween horror show...