The idea of hackers holding electronic medical records for ransom sounds like the stuff of a final Die Hard installment. But medical hacking and biomedical fraud are growing areas of concern for the healthcare industry... and for Americans receiving medical care. Although only a few isolated cases have been spotted, the ease with which they can be committed are alarming.
In late July, an interesting story came out of Chicago's suburbs: Hackers broke into a small medical practice's server, encrypted patients' electronic medical records (EMRs) and emails, and demanded a ransom. Instead of paying the ransom, the Surgeons of Lake County turned the server off and called police. It is not known whether the hackers who targeted the Surgeons of Lake County also extorted other businesses--but federal-mandated HIPAA records indicate 37 hospitals and doctors' offices nationwide have been hacked since 2009, resulting in the theft or damage of patients' medical records. The HIPAA records do not count hacks in which less than 500 patients' information was stolen or damaged, or cases in which only credit card or checking account information was stolen. In addition, they only count voluntary disclosures of successful hacking attacks. Due to these restrictions, the true number of hospitals targeted is likely higher.
Following the theft of Surgeons' medical records, their office issued a press release and, in a mea culpa, offered free credit monitoring services to patients. Confidential medical information, credit card numbers, social security numbers, and home addresses belonging to the medical practice's patients were all lifted during the hack.
EMRs, the same electronic health records stolen in the Illinois case, help streamline health care, minimize mistakes, and make--in most cases--the lives of patients and healthcare providers much easier. But they can also be stolen for credit card fraud or for healthcare theft. Healthcare theft is a growing criminal field, often tied to organized crime, in which uninsured patients use a stolen identity belong to another person for healthcare reasons. These include forged prescriptions for drugs, inpatient or outpatient care, or fraudulent healthcare lawsuits. The criminal gets the medical care; some poor schmoe and their insurance company receive the bill. At the very least, the victim has to deal with time-consuming piles of paperwork to resolve the problem. More often, credit records and access to healthcare are effectively ruined.
According to the HIPAA records, nearly 21 million Americans have had their EMRs stolen or lost since 2009. The largest single theft was from TRICARE, the Defense Department's civilian healthcare program for Armed Forces members, retirees, and their dependents. In 2011, 4.9 million TRICARE members' EMRs entered into the public sphere after one of their subcontractors lost a huge cache of back-up tapes. The tapes contained sensitive personal data such as clinical notes, laboratory test results, and prescriptions.
In May 2012, federal prosecutors charged a medical technician at Washington's Howard University Medical Center with the systematic theft of patients' personal information, including Medicaid ID numbers. This information was then sold to third parties. Shortly after the Howard University theft was announced, the Utah Health Department announced a massive data breach--Eastern European hackers had stolen 280,000 Utah residents' personal identification, social security numbers, diagnosis information, and medical billing information. Financial information such as credit card numbers or checking account numbers were not compromised.
However, a much more worrying--and dangerous--form of medical hacking is creating counterfeit medical devices or hacking existing ones. Counterfeit medical devices are a huge problem; according to the World Health Organization, 8% of medical devices worldwide were counterfeit as of 2010. Although the counterfeit insulin pumps, condoms, contact lenses, and surgical equipment are mainly found abroad, many find their way Stateside due to insecure supply chains.
The Food and Drug Administration has been circumspect about counterfeit medical devices being found in the United States. However, their British counterparts the MHRA have publicly warned about the risk of counterfeit devices, saying “most UK cases have involved the supply of counterfeit devices direct to consumers rather than healthcare professionals, through small retail outlets.”
For the federal government, monitoring counterfeit medical devices and their infiltration of American stores and hospitals is an issue. Benjamin Jun, Cryptography Research's CTO and a specialist in supply chain counterfeiting issues, told Fast Company that due to the nature of the supply chain for medical devices and accessories, unauthorized and counterfeit devices occasionally appear on the American market.
Medical devices themselves can also be hacked. Dale Nordenberg, a managing director at Pricewaterhousecoopers' Health Industries groups and former CIO for the Centers for Disease Control, has repeatedly warned of the risk of medical device hacking. At the Amphion Forum, a July conference for the security community in Washington, computer security expert and diabetic Jay Radcliffe demonstrated how he discovered critical security lapses in Medtronic insulin pumps that could let hackers remotely kill patients by manipulating the amount of insulin pumped. By manipulating insulin pumps remotely, criminals could kill or seriously injure targets; their crime, meanwhile, would be likely to escape detection from law enforcement unaware insulin pumps could be hacked. Radcliffe successfully hacked his own insulin pump and discovered massive loopholes for cybercriminals. Radcliffe first demonstrated the hack at the 2011 Defcon in Las Vegas.
Kevin Fu, a professor at the University of Massachusetts-Amherst, conducted research that discovered many medical devices use poorly developed code that often leads to deaths, injuries, or security lapses. There is no cross-medical industry protocol for coding QA and testing; as a result, software holes often aren't discovered until equipment fails in the field.
Electronic medical record theft is already commonplace, while poorly designed medical technology and counterfeit devices create new opportunities for 21st century criminals. As the incident in Illinois and Radcliffe's self-hack prove, criminals already have the tools for ambitious medical crimes... the question is what happens next.
Image: Flickr user Tiffany Terry
Clarification: Radcliffe first demonstrated how to hack an insulin pump at Defcon, not the Amphion Forum.