How Safe Are Your Medical Records?
In addition to the lowered risks, the monetary gain can be enormous. Malcolm Sparrow, a Harvard University professor who has written extensively on the topic, estimates that health care fraud amounts to about 3 to 10 percent of all health care costs—between $120 billion and $500 billion per year. Most people are aware of fraud associated with double-billing, or padding. But a growing aspect of fraud is medical identity theft. Lack of health insurance, although a motivator, is not the biggest reason that people purchase medical identities. Fears that future employment, life insurance, or even health insurance could be affected by mental or physical illness drive people to buy medical identities on the black market so that they can get care without those illnesses showing up on their records.
NEARLY A YEAR AGO, protected by a legal umbrella arranged by the general counsels of Susquehanna and Bucknell and an intellectual property rights and contracts lawyer, we began plotting our experiment. We deliberately selected a hospital that has a strong IT security staff and is HIPAA compliant. The hospital we worked with remains nameless for security reasons; but on completion of the security assessment, we gave it a more than 6,000-page report on its network and the vulnerabilities we found.
We chose two students from Susquehanna University to join us for part of the research—Tom Thayer and Joe Leader, both ’08 graduates. Liability and sensitivity to the hospital prevented us from allowing them to join fully. We planned a multivector attack using ARP spoofing, packet stripping (see glossary) and more plain-vanilla password attacks on routers. Because of our specialized knowledge in wireless network attacks, the initial plan was to attack the hospital’s wireless network.
We began, however, with an assessment of the Apfelbaum Building’s network on the Susquehanna campus to orient Thayer and Leader to the methodologies and security tools we would be using. Mark Huber, the CIO (chief information officer) at Susquehanna, graciously allowed us to “muck about” on the network and use it as a teaching tool.
Several weeks later, we moved on to the hospital. As part of our agreement with the hospital, we tested a specific segment of the wired network. That is, we were given access to a specific part of the network. Within an hour, we were able to break into more sensitive areas of the hospital, and within several hours we had complete access to every aspect of the institution—including CEO and security admininstration accounts and full control over routers, the power grid and medical records. While we purposefully asked for a fake medical record to run tests on, we verified that we could have taken more than 3 million medical records and could have transmitted them offsite.
The control of the power grid was, perhaps, the most disconcerting part of the assessment. By changing a password so that only we could speak to it, and then following with a command to turn it to “off,” we could have disabled the hospital. This went far past our initial goal of stealing medical records or medical identity theft, and perhaps right into a very possible method of terrorism.