I'm just brainstorming here based on my observations of the
medical system in passing, or rather flaws I’ve seen in dealing with healthcare
in my own interactions.
Why?
Healthcare systems provide access to the same information
people use for nefarious purposes like tax return fraud, welfare fraud, and
identity theft. They are often not integrated, so each system will be
standalone in each facility and only contain whatever security the company felt
the system warranted. Not as in a single computer per se, but likely a
thin-client network for a specific system. Custom systems have to be written to
integrate these systems together, so where two independent systems are
involved, there are really three points of possible non-secured entry, taking into
account the custom system for integration.
In a lot of companies, in terms of development projects, someone will ask a question like “Is it only going to be used
internally?” To which the answer more often than not is “Then leave it up the IT department to lock down the workstations
and restrict access.” I’m guessing healthcare companies, like other companies often scrimp on costs as
well, so if they weigh the cost of a breach versus the cost of a payout, it might
not be worth it to build in the more expensive security precautions. In my
experience, there is often an assumption that a medical company’s legal
representation would far outweigh that of individuals and moderately sized
groups. If this is true, then again, the financial benefit to not securing is
still worth it to the shareholders (if we only look at the bottom line). If the responsibility for the loss of information doesn’t fall
on the companies, then they are off the hook. Also, it might be up to the
patient to prove beyond a reasonable doubt that this specific breach is what caused their identity to be stolen
(unreasonable burden of proof).
Nobody is going to shut down a hospital because of an information breach.
Healthcare systems tend to contain some of the most complete
levels of information. While a tax return will have information such as an
address, an employer’s address, and potentially a phone number or bank account,
medical records (depending on the system) will contain this information and
more, such as connections to other patients in the same system, bank account
information, payment information, insurance account information, and the family
medical history. If it’s a family clinic, patients are likely to bring in their
children for a checkup, so their information is in the system before it’s in a
system like the credit system.
Points of entry
Individual healthcare systems are likely easier to hack.
While there are guidelines, there are multiple points of entry physically.
Someone can hack a system on the network where the developer didn’t think
an exploit could take place: MRI machines, copy machines, fax machines,
printers, network scanners, x-ray machines, etc. How often is someone left
alone with a terminal in the room for great lengths of time while they wait?
Even though a terminal’s locked down, someone could add a hardware keylogger and wait, and then
retrieve it when the medical staff have left the room again, to allow the
patient to get dressed. This arrangement typically doesn’t happen with the IRS systems.
Most of the insurance companies require referrals, so there
is a higher incidence of the same information being out there. A single tax
return for the year, versus four or five visits to multiple various doctor
offices for something as simple as a broken finger: primary care physician,
emergency room, specialist, quick care, etc.
Lack of detection
Another fraud aspect, not necessarily social engineering
might involve billing someone for a service that has yet to be billed. So Alice
goes the doctor to have an MRI, while the real medical system is working
through all of the tape between the insurance companies, Bob sends Alice a
strongly worded letter with a legitimate looking address and information for
payment processing. Alice pays the bill thinking it is from the healthcare
provider. If Alice takes this bill to the medical provider and pays it, they
will simply apply it to her account when she tells them she needs to make a
payment. They’re interested in getting the money, so they might not even look
at the forged bill, but will instead go about asking the typical verification
questions:
“Do you still have Company X as your insurance provider?”
“What’s your Last Name?”
“When is your Birthday?”
Also the person may neglect to bring the fake bill with
them, assuming it would be in the system, so there is less of a chance for red
flags in non-tech-savvy systems.
Market research
Since companies aren’t allowed to share medical information
on personal statistics legally without some sort of generic research (studies),
having a database of information relating to specific demographics might be
helpful if you were let’s say developing pharmaceuticals. Now they can have
real viable marketing information based on prescriptions. Not to mention the
external prescription system in drug stores that don’t have the security
systems of a national chain.
Unlikely, but still possible
These last few are out there a little further, and so they’re less
likely to happen from some individual seeking out someone, but a larger system
looking for information might be the right kind of buyer. Buyers might include
foreign governments, political parties, lobbying firms, stock brokerage firms, pharmaceutical
companies, and multinational banks.
As @Dr_Grinch suggested on Twitter, political embarrassment
could potentially force a person out of public office or keep them from running
again or winning a political race. (beat me to it Grinch)
Blackmail with sensitive information could allow someone an
insight into a hidden realm, so insider-trading insights for people who
blackmail politicians who already legally engage in insider trading.
While something like herpes might not necessarily be that
bad to most people (publicly), finding a Supreme Court Justice or Congressional representative
who has cancer markers or a bad heart could be pretty serious for interested parties.
Targeting of a specific patient for murder or to get them
out of office.
When someone has a medical condition, let’s say this person
is a high value target, something like a heart condition might be a good cover
up in the event of unforeseen catastrophic loss. If a country external to the
breach had intended to take out a target, a medical breach might give them inside information
as to an appropriate means of cover-up. “Heart attack? Seems plausible based on
their medical history.
Stalking / Espionage
Medical information could be used for locating a specific
patient who is no longer residing at their primary residence. This information
could be used to find patterns of when the person will be out of the area for a
localized attack. Typical doctors appointments on Tuesday, good time to bug the
house or rob the place. Need a list of places to setup illicit operations? Find empty houses.
Market for locating individuals
Also all of this information in medical systems is much more
thorough since people need contact information in the event of emergency. This
type of information may be helpful to agencies that try and track people down
as well. Bob is off of the grid, but Alice lists Bob as an emergency contact.
Charlie needs to find Bob for a client and buys the information.
Sorry, maybe I went a little overboard but if I can think of these things, I'm sure other people have likely already beat me to the punch.
No comments:
Post a Comment
I'm going to read this before it goes live if you don't mind.