Slashdot Mirror
Medical Records Worth More To Hackers Than Credit Cards
HughPickens.com writes Reuters reports that your medical information, including names, birth dates, policy numbers, diagnosis codes and billing information, is worth 10 times more than your credit card number on the black market. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations. Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, says Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information. Plus "healthcare providers and hospitals are just some of the easiest networks to break into," says Jeff Horne. "When I've looked at hospitals, and when I've talked to other people inside of a breach, they are using very old legacy systems — Windows systems that are 10 plus years old that have not seen a patch."
Over the years I can think of many times we've received a call from our credit card companies to "report suspicious activity". Sometimes it's annoying (yes, we are travelling, please don't cancel our card) but other times it's saved us thousands of dollars.
I personally cannot think of anyone who has gotten a call from medical establishment to report "suspicious activity" or any other kind of "fraud alert", but perhaps others have? If not, the fact that credit card companies respond to these would make them less profitable activity than defrauding companies that don't alert or respond.
Gently reply
You had me at HIPAA, lost me at Obamacare. Wouldn't new regulations been a perfect time to upgrade those legacy systems? It would have been a perfect time to blame increase costs on "more computerization". Insurance companies already blamed increase rates on Obamacare, why not just tack on the extra upgrades.
There is at least two ways to look at this issue.
A. Using stolen health information is very lucrative due to the lack of security.
B. Using stolen credit card information has become a lot less lucrative due to the increased security used by credit card companies.
I suspect a little from column A and a little from column B.
> other times it's saved the credit card company thousands of dollars.
FTFY. Although it is possible that if it was caught in time then it saved the merchant thousands of dollars.
But whatever the case, it definitely didn't save you thousands of dollars. Federal law makes your liability a maximum of $50 (unlike debit cards where losses are only limited by bank policy and subject to the whims of your bank manager).
I don't disagree that it has problems but, lets not pretend that things were better without it. I worked for several years in healthcare IT. I was there when we started encrypting our laptops by policy.... it was because of HIPAA. Prior to that, there were no exceptions.
A good part of the problem is that hospitals grew up doing their own systems support for medical devices and tried to grow IT out of that, and they tend to be non-profits that budget their departments like universities do. Its a huge mess.
They just never cared about security because they built up their entire system for a single purpose of providing medical care, they were so focused on that the idea that they were exposing themselves was an afterthought, security has always been an afterthought in the the industry that brought us the word "triage"
"I opened my eyes, and everything went dark again"
HIPAA is all about PROTECTING your information. Blame your local management for ignoring HIPAA requirements and choosing a cheaper, less secure alternative.
Like them or dislike them, the VA has had electronic patient records since the 60s. They've had this nailed so well their software is in use in many hospitals around the country.
If Medicare practiced fraud/risk control energy marginally as will as the payments industry, they could cut fraudulent claims by 70%.
- Does the zip code you are shipping durable equipment to when remotely match the patient's residence? If not, just a phone call might work to confirm the transaction.
- Does the durable equipment have use for any Diagnostic code used my the patient in past?
There are other triggers that could help.
deleting the extra space after periods so i can stay relevant, yeah.
Wondering if all the hospital networks are already compromised beyond repair. If the doctors use same passwords for their hospital account as well as their personal account, they too would be very vulnerable. Some of the doctors I know are surgeons who would wield a scalpel with great confidence and would think it is routine to make a 20 cm long incision across the stomach. But are scared of the stupid computer and were mortally afraid of changing the password, or the default screen saver.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Even with the turn of the millennia, the vast majority of hospital systems still run on HL7 (Health Level 7) and MUMPS (Massachusetts General Hospital Utility Multi-Programming System aka "M").
HL7 isn't just a standard, but it also describes a protocol used for transmitting patient data which is laughably insecure in the state it was in when I last worked on it in the late 90's. Plain text, no validation, fire/forget, no encryption, no well, no nothing
MUMPS, or M if you prefer, is a programming language designed by the NSA (it must have been, lol, actually it was designed by a couple of Dr's), every variable is global in nature - so if you have an admin token ADMIN, you can set that value anywhere in the running system and it won't care one bit. Rooting M systems is simply a matter of access and knowledge of M.
Oddly, in M, you can also use shorthand, so i == if (IIRC), and it's contextual, so where in a line a value appears determines the values type, so i i i is a valid statement, where each i references a completely different variable/value/object. Insanity at it's best. Here is a great mumps tutorial for those of you that aren't familiar & for those of you who only know "modern" languages, it's a timely Halloween horror show...
http://www.utsandiego.com/news...
This goes back 2 years, but just hit the news wires today:
LA JOLLA — UC San Diego has been targeted by a series of cyber attackers seeking access to sensitive research and other data since 2012 and officials say the so-called advanced persistent threat has prompted the campus to take steps to bolster its security.
The initial security breach, detected in June 2012, involved the use of stolen passwords by hackers targeting computer servers. University information technology security director John Denune said that no work was lost and no critical research data was accessed.
"The only reason to buy that data is so they can fraudulently bill," Probst said.
Uh, what? You don't think having access to the birthdate, employer, SSN, address and medical history has any use other than fraudulent billing? Good thing he is in the medical field so he can get a CT scan of his navel. Apparently this "CIO" doesn't understand the value of the data he is supposed to be keeping safe.
This is all the more reason to NOT give healthcare providers your SSN, and to insist that insurance companies use a different customer ID.
Good points. Nonetheless, the credit card issuers still have an incentive to minimize fraud, if only to avoid the hassle of fighting with the merchants over who's to blame for the loss and how much they are liable for. They would much rather enjoy wallowing in the usurious interest rates and substantial transaction fees they charge than spend time in court with the merchants.
Against stupidity, the Gods themselves contend in vain. --Friederich Schiller
What about debit cards that can be used like credit cards? What's the liability on those.
It's a debit card. The fact you can use it to pay for something at the checkout doesn't make it a credit card. There is no credit involved.
except that the money is pulled directly from my checking account. I really don't like this feature, but all their cards are like that now.
All debit cards are like that. And that's why even if your card issuer promises low liabilities for lost or stolen cards, you may have an empty checking account for the entire time it takes to resolve the problem. Compare that to a credit card where the issuer is prohibited by law from acting on any charge that you are disputing.
Then please explain why the single most common reason for a person to be fired from the entire network of hospitals I worked for was inappropriate records access? Perhaps you would like to tell me why one of the major projects then was to move from offline records access auditing to real time auditing and flagging?
Perhaps you might have some insight into how it failed by causing us to start encrypting all of our laptops? \
The problem with healthcare is momentum. Its huge, there is a lot of it, and its highly federated and highly disorganized.In fact its often less a case of "we don't care" and more a case that they tend to be in over their heads keeping up with the infrastructure they have and the way its growing, and balk at allocating more resources to IT, since it already has eaten up more than they naively expected.
I have had to watch entire presentations that boil down to "we want to generate terabytes of data at an alarming rate and we don't see why it should cost very much based on just ignoring any other costs and looking at hard drive prices"
Seriously, the disconnect in healthcare is serious, and I agree the law is only somewhat helping but.... fact is the institutions really are scared of the penalties and those penalties really do trump their other considerations many times.
Its not perfect, but, on the security front, I have to say, I really think nearly all forward progress on security in healthcare can be directly attributed to it. I mean, I can think of a few minor exceptions like.... general concern about certain rare but frightening events like baby swaps or thefts that caused a good bit of increased security around birthing areas, but aside from that, I can't think of much that wasn't directly HIPAA requirement driven.
"I opened my eyes, and everything went dark again"
You had me at HIPAA, lost me at Obamacare. Wouldn't new regulations been a perfect time to upgrade those legacy systems?
HIPAA doesn't require secure systems. It requires completed checklists. As long as the legacy systems pass the checklist, why replace them?
Depends where you are in the world.
UK banks have almost all signed into a debit card agreement which gives the same protections as credit cards.
Card fraud doesn't cost you of the bank anything. The merchants are left holding the bag (lost merchandise AND money) and often collect horrific extra fees from Visa et al on top.