Why Electronic Medical Records are Attractive to Hackers
Part of our Forensics practice at Evidence Solutions,Inc. includes Electronic Medical Record (EMR) / Electronic Health Record (EHR) forensics. We take special interest in finding out about hacking events that affect Electronic Medical Record (EMR) Systems.
In April of 2012, the Utah’s Department of Technology Services (DTS) and Utah’s Department of Health (UDOH) announced that over 280,000 EMRs from their Medicaid and Children’s Health Insurance Plan were stolen by hackers allegedly operating from Eastern Europe. The number of records stolen increased to an estimated total of 780,000 by the end of April 2012.
In December of 2013, hackers are estimated to have accessed data on a software development server in Vermont 15 times before being noticed. The server was owned by the Vermont Health Connect (VHC), the state's health insurance exchange arm of the Affordable Care Act. The attack was tracked back to a Romanian IP Address. The hacker attack went undetected for approximately one month. Fortunately the system that was hacked only contained test data, there was no “real” data on the server.
In May of 2014, State of Montana's Department of Public Health and Human Services (DPHHS) announced a hack which impacted up to 1.3 million individuals. The hack, which is also believed to have originated in Eastern Europe, attacked Montana’s DPHHS roughly 17,000 times an hour until the system was successfully breached.
Between April and June 2014, Community Health Systems (CHS) based in Franklin Tennessee was compromised and an estimated 4.5 million patient Electronic Health Records (EHR) were accessed. In this case the hack was believed to be based out of China. CHS operates 206 hospitals in 29 states and is currently doing further investigations regarding the attack.
This list is by no means the entire list of EMR Systems which have been attacked. The trend to hit large targets, however, appears to be growing. Health care leaders need to be more diligent than they have been in terms of security. While external attacks are becoming more common, other threats include: lost laptops and unauthorized access to records. The health care industry needs to defend against sophisticated cybercriminals who seek critical medical data to commit fraud or turn a profit.
While the value of stolen credit cards, Social Security Numbers, Identities and Electronic Medical Records varies, several sources we found indicate the following “sales prices”:
Social Security Numbers: from $0.25 to $3.00 each
Credit Card Numbers: from $2.00 to $9.00 each
Identities: From $5.00 to $10.00 each
Electronic Medical Records: From $100.00 to $1000.00 each
So why are medical records so valuable? Not only do medical records contain Personally Identifiable Information (PII) such as name, address and social security number, they also contain eligibility information and health insurance identification numbers which could allow someone to receive free medical care, including surgery.
Finally, children’s records are particularly valuable to cyber criminals because their lack of a credit report and bank account makes it difficult to monitor them for identity theft. It is possible for their identity to be exploited for years before it is uncovered. According to a report published by AllClear ID, the percentage of identity theft doubled between 2011 and 2012 data for children 5 and under. The company says: “10.7% of the children scanned from our data were victims of identity theft. This is 35 times greater than the rate of identity theft seen in adults in the same population.”
There is no doubt some of these children’s identities were obtained from EMR Systems, and were used to steal children’s identities.
ABOUT THE AUTHOR: Scott Greene of Evidence Solutions, Inc.
For over 30 years, Scott Greene has been helping companies meet the challenges of the swiftly evolving computer technology industry.
Directly from high school, Scott went to work for IBM. Scott studied Systems Engineering at the University of Arizona. He has since earned certifications in many products and programming languages.
The Evidence Solutions team analyzes data from Computers, Cell Phones, Black Boxes, Dispatch Systems, Medical Records, Email systems and more. Scott then explains the digital evidence in plain English.
Scott’s extensive knowledge draws clients to him from all over the United States as well as Internationally for consulting, Forensics and expert witness services. His extensive and diverse experience allows him to be an expert in many facets of digital and electronic evidence. Scott, a sought after speaker and educator, travels throughout the country sharing his knowledge and presenting to local, regional, national and International organizations.
Copyright Evidence Solutions, Inc.
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.