The Next Data Theft Target: Your Medical Records
If you think Target and Neiman Marcus have done a lousy job of protecting your personal information, you may want to have a serious talk with your healthcare provider.
The impact of attacks on major retailers could be tiny compared with what’s likely to happen with even more sensitive data: our electronic medical records. That’s because healthcare organizations are doing an even worse job of protecting it than the big stores are, according to a report to be released tomorrow by cyber-security firm Norse Corp. and the SANS Institute, a security research and educational organization.
According to the report, millions of healthcare organizations have likely had their networks exploited by cyber-criminals or infected with malicious software that can be used to steal patients’ personal health information.
Follow the money, honey
Norse obtained this data by setting up “honeypots” — sensors designed to trap malicious traffic sent across the Internet — and then it traced the data packets back to their sources. Over a 13-month period, Norse uncovered compromised machines at 375 health care organizations. Nearly three-quarters of them were doctor’s offices and hospitals, with the rest divided among other healthcare-related companies.
In addition to computers and networking equipment, compromised devices included printers, video conferencing systems, call center software and X-ray machines. The danger is that attackers could use an “edge system,” an off-the-shelf device like a printer, to ultimately gain access to databases of patient records.
Thieves could then sell your stolen personal health information on the Internet black market, use your credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.
Medical ID theft is worse than financial identity theft, because there are fewer legal protections for consumers. Many victims are forced to pay out of pocket for health services obtained by the thieves, or risk losing their insurance and/or ruining their credit ratings.
According to a survey conducted by the Ponemon Institute last September, some 1.84 million Americans were victims of medical identity theft in 2013, costing them an estimated $12 billion in expenses. Two-thirds of victims said they paid nothing at all; the other third claimed to have paid an average of more than $18,000 apiece.
(Institute Chairman Larry Ponemon admits that those dollar figures are estimates and that some of the financial data collected in the survey defies easy explanation.)
Worse, someone obtaining medical services in your name could result in inaccurate information being included in your medical records — such as procedures you never had or medications you don’t take — with potentially disastrous results.
All in the family
Are our healthcare records at risk? Absolutely. Do healthcare providers do a poor job of protecting them? If this survey is any indication, then the answer is yes.
But it’s also important to understand what the report did not say.
The report did not uncover any actual breaches of personal health information or find that attackers were targeting these organizations specifically to obtain medical records. It found no evidence that the federal insurance marketplace, HealthCare.gov, has suffered any security breaches.