How Safe Are Your Medical Records?

Print-Friendly View

Page 2

Eric Smith, assistant director for information security and networking at Bucknell University, and Shana Dardan, assistant professor of information systems, in the server room at Susquehanna University.But why would someone steal medical records? Who could possibly care about someone’s twisted ankle or ingrown toenail? Actually, medical identity theft and insurance fraud are the current flavor of choice for organized crime. The reason: risk of being caught is lower than for financial identity theft or cocaine trafficking (which is what organized crime switched from when moving into health-records theft), and the risk of imprisonment is even lower.

In addition to the lowered risks, the monetary gain can be enormous. Malcolm Sparrow, a Harvard University professor who has written extensively on the topic, estimates that health care fraud amounts to about 3 to 10 percent of all health care costs—between $120 billion and $500 billion per year. Most people are aware of fraud associated with double-billing, or padding. But a growing aspect of fraud is medical identity theft. Lack of health insurance, although a motivator, is not the biggest reason that people purchase medical identities. Fears that future employment, life insurance, or even health insurance could be affected by mental or physical illness drive people to buy medical identities on the black market so that they can get care without those illnesses showing up on their records.

NEARLY A YEAR AGO, protected by a legal umbrella arranged by the general counsels of Susquehanna and Bucknell and an intellectual property rights and contracts lawyer, we began plotting our experiment. We deliberately selected a hospital that has a strong IT security staff and is HIPAA compliant. The hospital we worked with remains nameless for security reasons; but on completion of the security assessment, we gave it a more than 6,000-page report on its network and the vulnerabilities we found.

We chose two students from Susquehanna University to join us for part of the research—Tom Thayer and Joe Leader, both ’08 graduates. Liability and sensitivity to the hospital prevented us from allowing them to join fully. We planned a multivector attack using ARP spoofing, packet stripping (see glossary) and more plain-vanilla password attacks on routers. Because of our specialized knowledge in wireless network attacks, the initial plan was to attack the hospital’s wireless network.

We began, however, with an assessment of the Apfelbaum Building’s network on the Susquehanna campus to orient Thayer and Leader to the methodologies and security tools we would be using. Mark Huber, the CIO (chief information officer) at Susquehanna, graciously allowed us to “muck about” on the network and use it as a teaching tool.

Several weeks later, we moved on to the hospital. As part of our agreement with the hospital, we tested a specific segment of the wired network. That is, we were given access to a specific part of the network. Within an hour, we were able to break into more sensitive areas of the hospital, and within several hours we had complete access to every aspect of the institution—including CEO and security admininstration accounts and full control over routers, the power grid and medical records. While we purposefully asked for a fake medical record to run tests on, we verified that we could have taken more than 3 million medical records and could have transmitted them offsite.

The control of the power grid was, perhaps, the most disconcerting part of the assessment. By changing a password so that only we could speak to it, and then following with a command to turn it to “off,” we could have disabled the hospital. This went far past our initial goal of stealing medical records or medical identity theft, and perhaps right into a very possible method of terrorism. 

< Previous     Page 1 | 2 | 3     Next >

Bookmark and Share