Neither of these articles establish why EHRs are any more valuable than identity information. The same things can be said about any service that stores profiles including SSNs.
The article alludes to "medical" abuses of stolen EHRs, but doesn't explain how these abuses rely on anything more than identity information.
I'm left skeptical, especially because the author has something to sell.
How about this: Medical offices have poor infosec practices.
There are many small doctors offices where the doctor is the executive.
A vendor will convince the doctor that their suite of software and hardware will solve all of their problems.
The doctor buys the package, and because they believed the vendor, they don't do anything more about security.
Then the doctor finds that the package doesn't work with X supplier or whatever, so the doc buys another package from another vendor, but keeps the old stuff.
The surface area is large and fertile.
So it's not necessarily that EHRs are particularly valuable, but that they are particularly available.
There's no need to make a point that EHRs are somehow any more valuable than identity information - being a common source of identity information is sufficient to get targeted, especially as all the other sources of identity data are (slowly) hardening their systems and processes.
"any service that stores profiles including SSNs" isn't a particularly wide qualifier. The narrow domain of such services have had a long history in learning how to do that properly, and there really aren't any major new domains that are just starting to have stores of data that's useful for identity theft but weren't electronically available before - except EHRs, which are useful to current criminals, are just recently made electronic, and are poorly secured since this problem is new for them.
Interesting. So an attacker can just get someone's info, then schedule an appointment and pretend to be that person? Seems like this could be blocked just by having the health companies keep a photo on file and verifying it before anything expensive.
And are there lots of cases of people stealing ID just to get medical care? That's both sad and pretty interesting. Do they catch a lot of people trying this? Even $1200 for a "kitz" sounds like a great deal given the cost of US medical services. I'd guess there's a fairly low risk of getting caught once you leave the hospital.
Most doctors ask for ID now. Even as recent as 10 years ago that was a rare practice. So, yes, it was possible to get medical services under someone else's name and even possible to execute an illegal adoption that way; I have a cousin (in his 30s now) who was "adopted" like that. My aunt was unable to have children but really wanted them, she also had a minor criminal record and wasn't well off financially so she'd never be able to legally adopt. One of her friends had an unwanted pregnancy. Aunt convinced friend to give birth assuming my aunt's name and my aunt took the baby home.
But if you show the doctor a fake drivers license you're set, right? I mean, the doctor/insurance company isn't verifying your ID against their records.
How is your friend taking the news? I can't imagine the level of sadness at the thought of your own biological birth mother giving you up like that. Freud says they go through their whole life trying to avoid abandonment.
I'd imagine the sadness easily turning into some sort of aimless wrath. It's like being told you've lived a lie to save birthgiver's face. Maybe that's what happened to Paul Le Roux when he found out he was not only adopted but that they didn't even bother giving it a name.
Um...wtf? Are you replying to the right post? What news? It was never a secret, my cousin always knew he was adopted and nobody was ever sad.
The situation is exactly like any other adoption just was informal in that it didn't involve the government. It worked out very well for everyone involved. Adoption happens every single day.
"Lede" is the newspaper term, "lead" refers to a toxic metal element, or to someone who is followed.
Also, the second part basically just says "they sell them, they're worth this much", but doesn't really get into why others are willing to pay that much.
> Although evidence dates the spelling to the 1970s, we didn't enter lede in our dictionaries until 2008. For much of that time, it was mostly kept under wraps as in-house newsroom jargon.
In fact, lede is a deliberately misspelled version of "lead"; like TK, it exists to be picked easily out of copy without being confused by the real text.
So it's especially strange to criticize the use of the word "lead".
Yeah, I've had this conversation a few times. I think that there are some know reasons for the theft, but the black market for this stuff is pretty opaque. I imagine that if you're in the business of cybercrime, you diversify, and one option is stolen health records.
I read the article and didn't catch what the criminals are doing with the data. So ransom attacks are a diversion so they can exfiltrate the data quietly. Are they engaging in identity theft? Are they blackmailing people? What exactly are they doing?
EDIT: Prior to Snapchat, I envisioned an iOS application that would track the "chain of custody" of images and electronic documents. iOS isn't perfect, but it is one of the more secure platforms for this kind of app. A cloud-based server would manage keys, which would only be available per-use of each document. Is that what protenius is doing? Such a system would provide ample data for detecting fraudulent use of medical records.
There exist articles describing hospital systems who have been victims of ransomware attacks. There are suggestions that some companies have paid the fee to decrypt the data. Also I believe the fee has been higher than what the average end-user experiences.
I don't mean to be condescending but the only thing I learned from this article is this 88% statistic (and the linked source timed out while trying to load it)
This seems like marketing speak at its finest, trying to land some of the readers' within the customer target demographic of this company.
I actually got the article to load but it also alludes to some other study that says 88% again with no link to the source material.
Another "source" on that linked article just takes me to an email contact form.
While I do not agree that hospitals are lacking in their security practices and that most EHRs are archaic pieces of software with little concern for security I find a lot of what this article presents as word of mouth marketing garbage.
I also take issue with the fact that this article does not offer any solution to this problem other than 'get good scrub'
I'm completing my thesis on EHR systems, and poor security is a huge issue for almost all healthcare software - but it's a symptom of a larger issue - the cost of distributing new software to healthcare institutions.
"Victims can easily spend thousands of dollars and hundreds of hours simply trying to put their life back together."
While that may or may not be true, this particular post certainly is nothing more than a piece of propaganda. For example, HIPAA regulations require PHI to be encrypted in transit and at rest, contrary to what this post tries to scare readers with. In general, healthcare organizations tend towards being extraordinarily conservative when it comes to security and require providers to jump through unnecessary hoops tO access data. Citrix seems to be deployed widely across hospitals, which is a pretty blunt security iinstrument for things like even access to email. It's true that there is tons of work to be done to improve security and access to healthcare data, but for pretty much none of the reasons stated here. Lastly, how exactly is patient data a virtual gold mine? Given the risk of dealing with federally protected data, is there a marketplace for actually selling stolen PHI for a reasonable return?
>"For example, HIPAA regulations require PHI to be encrypted in transit and at rest"
Really? What about all those records faxed back and forth between health care providers.
>"Lastly, how exactly is patient data a virtual gold mine"
Take an antidepressant? Have an STD? Abortion? Treated by a psychiatrist? I would imagine a lot of people would pay a bitcoin or two not to have those issues become public.
Faxes are are a special case, and are exempt, I think. Plaintext email, for instance, would not ordinarily be allowed to contain patient health information.
I work in the space, and can say for certain that while everyone talk a good game about their encryption, and compliance policies, the reality is often a bit different.
A few years ago I had my identity stolen by someone from a large hospital on the east coast. They charged about $20K of merchandise, opened about 6-7 credit cards and failed to open a few more before I started getting bills in the mail. It took me dozens of hours and weeks on the phone to get things cleared up. They caught the person on Target surveillance camera and finally arrested and charged them at the federal level. There were ~40 other people who had their info stolen as well. They went to prison and will be there for a few more years.
The whole ordeal was a fairly stressful thing to deal with right after having major surgery. I looked into my legal options after I cleared things up, but I couldn't get anyone to seriously listen to my case. I wanted to know whether the hospital was responsible, but I guess I didn't know who to contact (the right lawyer, etc). Everyone I contacted either weren't able to help me or didn't know I should contact.
Indeed. If you believe HIPAA has ensured everything is encrypted you've been suckered by the potemkin village that is EHR compliance pencil whipping. The work is farmed out to all sorts of fly-by-night shops that are expert at passing the audits and filling out the applications that make the grant money flow and get the necessary boxes ticked with the feds.
It kind of depends, I think. I work with some really great companies who take this stuff very seriously and do a really good job. There is however a gigantic attack surface. The vulnerability to plain old spear phishing alone is gigantic.
Additionally a lot of hospitals have too few, poorly paid and trained IT staff running their in house infrastructure. This is a big mistake, but they think doing it this way is more secure.
And, as you suggest, there are some bad actors. Fortunately there's been a lot of consolidation on the EHR side that's wiped out a lot of the fly by night operations. Third party contractors, are of course another story and a mixed bag.
Anyone with exposure to the industry and has an ounce of sense would realize there are a ton of security vulnerabilities. Patchwork implementation of encryption is just one of many ails.
the tl;dr is
Sell patient info repeatedly on the black market, using the profits to fund other activities
Obtain expensive medical equipment, prescriptions, or procedures
Commit tax fraud
Expose or blackmail specific individuals, such as politicians or celebrities
Receive medical care
Undergo surgery
Purchase or sell prescription or controlled drugs
*edit grammar fix