Medical Records Worth More To Hackers Than Credit Cards 78
HughPickens.com writes Reuters reports that your medical information, including names, birth dates, policy numbers, diagnosis codes and billing information, is worth 10 times more than your credit card number on the black market. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations. Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, says Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information. Plus "healthcare providers and hospitals are just some of the easiest networks to break into," says Jeff Horne. "When I've looked at hospitals, and when I've talked to other people inside of a breach, they are using very old legacy systems — Windows systems that are 10 plus years old that have not seen a patch."
It will if it's pre-OS X (Score:2)
Mac OS 1-8, and to some extent 9, kept remote hackers away. Largely due to missing functionality, it was considered the most secure platform at the time.
Re: (Score:2)
Mac OS 1-8, and to some extent 9, kept remote hackers away. Largely due to missing functionality, it was considered the most secure platform at the time.
I remember the US army using Mac servers. If you wanted to hack them, you first had to get past the armed guards :-)
Re: It will if it's pre-OS X (Score:2)
The NetWare servers I worked with for Navy use similarly had humorless Marine guards between them and you. Wrong badge, wrong response. Bang.
Reasonably secure. That and the air gap measured in kilometers.
Re: (Score:1)
Re:Ironically, blame HIPAA (Score:4, Interesting)
Re: (Score:2, Insightful)
Re: (Score:1)
Re: (Score:3)
You had me at HIPAA, lost me at Obamacare. Wouldn't new regulations been a perfect time to upgrade those legacy systems?
HIPAA doesn't require secure systems. It requires completed checklists. As long as the legacy systems pass the checklist, why replace them?
Re: (Score:3)
I don't disagree that it has problems but, lets not pretend that things were better without it. I worked for several years in healthcare IT. I was there when we started encrypting our laptops by policy.... it was because of HIPAA. Prior to that, there were no exceptions.
A good part of the problem is that hospitals grew up doing their own systems support for medical devices and tried to grow IT out of that, and they tend to be non-profits that budget their departments like universities do. Its a huge mess.
Th
Re: (Score:3)
Then please explain why the single most common reason for a person to be fired from the entire network of hospitals I worked for was inappropriate records access? Perhaps you would like to tell me why one of the major projects then was to move from offline records access auditing to real time auditing and flagging?
Perhaps you might have some insight into how it failed by causing us to start encrypting all of our laptops? \
The problem with healthcare is momentum. Its huge, there is a lot of it, and its highl
Re: (Score:3)
Re: (Score:2)
So much of health provider's budgets have been consumed in the past ten years by HIPAA and Obamacare they didn't have any money left over to upgrade those "old legacy systems".
Right...., 'cause the security requirement imposed by HIPAA compliance are such a frivolous waste of money. [/dripping sarcasm]
Doing it right is more expensive than not doing it right, regardless of the business driver. Get over it.
Calls from Credit Cards on "Suspicious Activity" (Score:4, Interesting)
Over the years I can think of many times we've received a call from our credit card companies to "report suspicious activity". Sometimes it's annoying (yes, we are travelling, please don't cancel our card) but other times it's saved us thousands of dollars.
I personally cannot think of anyone who has gotten a call from medical establishment to report "suspicious activity" or any other kind of "fraud alert", but perhaps others have? If not, the fact that credit card companies respond to these would make them less profitable activity than defrauding companies that don't alert or respond.
Re: (Score:3, Informative)
> other times it's saved the credit card company thousands of dollars.
FTFY. Although it is possible that if it was caught in time then it saved the merchant thousands of dollars.
But whatever the case, it definitely didn't save you thousands of dollars. Federal law makes your liability a maximum of $50 (unlike debit cards where losses are only limited by bank policy and subject to the whims of your bank manager).
Re: (Score:2)
Re:Calls from Credit Cards on "Suspicious Activity (Score:5, Informative)
What about debit cards that can be used like credit cards? What's the liability on those.
It's a debit card. The fact you can use it to pay for something at the checkout doesn't make it a credit card. There is no credit involved.
except that the money is pulled directly from my checking account. I really don't like this feature, but all their cards are like that now.
All debit cards are like that. And that's why even if your card issuer promises low liabilities for lost or stolen cards, you may have an empty checking account for the entire time it takes to resolve the problem. Compare that to a credit card where the issuer is prohibited by law from acting on any charge that you are disputing.
Re: (Score:2)
It's a debit card. The fact you can use it to pay for something at the checkout doesn't make it a credit card. There is no credit involved.
It's both. You have the option [visa.com] to use it as a credit card:
"When you sign for your purchases, you get security protections that help prevent, detect and resolve fraud. Many rewards programs also require you to sign to collect rewards points. However, if you PIN for your Visa Debit card transactions, you may not receive the same security protections for Visa Debit card transactions not processed by Visa."
Re: (Score:2)
Depends where you are in the world.
UK banks have almost all signed into a debit card agreement which gives the same protections as credit cards.
Card fraud doesn't cost you of the bank anything. The merchants are left holding the bag (lost merchandise AND money) and often collect horrific extra fees from Visa et al on top.
Re: (Score:2)
What about debit cards that can be used like credit cards? What's the liability on those. My bank recently made a change and now all debit cards that are issued are Visa debit cards that have a valid Visa number, expiry date, and CCV/CSC [wikipedia.org] and can be used in place of a credit card for online transactions, except that the money is pulled directly from my checking account. I really don't like this feature, but all their cards are like that now.
When you swipe a card, the merchant asks "Debit or credit?" if it's run as credit (often requiring a signature), then your liability is the same as a credit card. If you answered "debit" and provided a PIN, then your liability is the same as any other debit card.
Another poster correctly pointed out that the money is directly pulled from your checking account, so you will be minus that money while disputing the charges.
Re: (Score:2)
Federal law makes your liability a maximum of $50
That is only true if you dispute a fraudulent charge in writing within sixty days of the charge. If you don't notice an odd $20 recurring charge, you are screwed out of all but the last two charges. Also if your credit card is stolen, the $50 limit only applies to charges made in the first 48 hours after the theft.
Re: (Score:2)
Re: (Score:2)
The merchants are responsible [nerdwallet.com] for eating the costs. Merchants are also liable for chargebacks [transactionworld.net].
Re: (Score:3)
Re: (Score:2)
Did you actually read that story?
"Usually, however, it is the banks that get hurt the most."
Bottom line (and there are exceptions), merchants aren't on the hook if it's a face-to-face transaction. If it's an online transaction, the merchant usually does end up liable.
Re: (Score:2)
Did you actually read that story?
Yes, so let me explain:
Bottom line (and there are exceptions), merchants aren't on the hook if it's a face-to-face transaction.
Nope! Read on to see why:
Usually, however, it is the banks that get hurt the most.
And how do they get hurt? In that quote, the word "banks" links to a BusinessWeek article that explains:
issuing banks are shifting the expense of fraudulent face-to-face transactions to retailers. One reason: complaints that the buyer's signature didn't match the one on the card. These "charge-backs" drive up retailers' costs, which are ultimately passed along to the consumer, says Mallory Duncan, the NRF's general counsel.
So the law says the credit card holder isn't liable. The CC company says they aren't liable, the bank is. But since the retailer is responsible for verifying the signature, they were at fault. Notice that it specifically says that in face-to-face transactions the retailer is responsible.
I'm unclear why the BusinessWeek article says "shifting" since this
Re: (Score:2)
In the articles you cite, it's clear, in a face-to-face transaction, unless there's evidence that the merchant failed to observe the security protocols (i.e. the signatures clearly don't match), the bank eats the cost. The article notes that the banks have been tightening up, and not cutting vendors as much slack as to whether they observed the security protocols or not. That said, it's clear from both articles that, in face-to-face transactions, the bank eats the majority of the costs of fraud. Not so i
Re: (Score:1)
"As for your experience with photo ID, the employee should be in trouble, at least if it was Visa or MC. The merchant agreement prohibits requiring ID. You can ask for it, but if the customer doesn't want to provide it, you can't make it a condition of completing the transaction."
A good lawyer can (and will) trivially argue that this policy facilitates fraud and therefore invalidates any blame the merchant might be taking.
Re: (Score:2)
To which Visa/MC will simply respond that they no longer want to do business with the merchant.
Re: (Score:1)
"Bottom line (and there are exceptions), merchants aren't on the hook if it's a face-to-face transaction."
As a merchant, I've experienced what happens on a disputed face-to-face transaction:
It gets reversed and charged the same as card not present fraud.
It's one of the reasons I installed a video surveillance system at the point of sale.
Re: (Score:2)
Because under US law, credit card companies are liable for the cost of credit card fraud above a nominal amount, they have strong incentives to continuously search for and attempt to block fraudulent transactions. I don't think there is any comparable legal driver that forces health providers to bear the financial cost of similar fraud from patient info loss, nor are they necessarily "in-line" to see the exploitation of information stolen from them. ...
Perhaps the significant difference here is that, with credit cards, the main usage is bogus charges that have an immediate monetary value. With the medical information, there's no specific dollar amount that's been "stolen"; the value is in who's willing to buy the information. This doesn't result in any specific charge against the medical corporation or the patient, so the financial system considers its value to be zero.
This is also what might make it difficult to fight. You can't just say that the me
Re: (Score:2)
it has only been a few years that co-pays and co-insurance got to the point where you are liable for a lot of doctor visits. 10 years ago most people wouldn't care if someone was running up medical bills under their name since they wouldn't be responsible for a dime.
unlike credit cards where you have to fill out the fraud form or pay up
Re: (Score:2)
I actually got a letter from a dentist saying that their office was broken into and medical records taken. I believe that's a HIPAA requirement.
Scarier (Score:2)
Re: (Score:2)
My experience with doctor's offices has been that everything is kept on paper, and they fax things around if they need to transfer the data "electronically"...
Re: (Score:3)
Like them or dislike them, the VA has had electronic patient records since the 60s. They've had this nailed so well their software is in use in many hospitals around the country.
Re: (Score:1)
Perspective (Score:5, Insightful)
There is at least two ways to look at this issue.
A. Using stolen health information is very lucrative due to the lack of security.
B. Using stolen credit card information has become a lot less lucrative due to the increased security used by credit card companies.
I suspect a little from column A and a little from column B.
FDA and legacy software (Score:2)
Government ineptitude (Score:5, Insightful)
If Medicare practiced fraud/risk control energy marginally as will as the payments industry, they could cut fraudulent claims by 70%.
- Does the zip code you are shipping durable equipment to when remotely match the patient's residence? If not, just a phone call might work to confirm the transaction.
- Does the durable equipment have use for any Diagnostic code used my the patient in past?
There are other triggers that could help.
a cyber crime protection company... (Score:1)
....monitoring underground exchanges..
Sounds like a cheap spy novel.
Hospital networks are very vulnerable. (Score:5, Interesting)
Wondering if all the hospital networks are already compromised beyond repair. If the doctors use same passwords for their hospital account as well as their personal account, they too would be very vulnerable. Some of the doctors I know are surgeons who would wield a scalpel with great confidence and would think it is routine to make a 20 cm long incision across the stomach. But are scared of the stupid computer and were mortally afraid of changing the password, or the default screen saver.
also lot's of 3rd party vendors. With updates not (Score:2)
also lot's of 3rd party vendors Some systems are even are setup up with updates not allowed.
HL7 & MUMPS (Score:5, Interesting)
HL7 isn't just a standard, but it also describes a protocol used for transmitting patient data which is laughably insecure in the state it was in when I last worked on it in the late 90's. Plain text, no validation, fire/forget, no encryption, no well, no nothing
MUMPS, or M if you prefer, is a programming language designed by the NSA (it must have been, lol, actually it was designed by a couple of Dr's), every variable is global in nature - so if you have an admin token ADMIN, you can set that value anywhere in the running system and it won't care one bit. Rooting M systems is simply a matter of access and knowledge of M.
Oddly, in M, you can also use shorthand, so i == if (IIRC), and it's contextual, so where in a line a value appears determines the values type, so i i i is a valid statement, where each i references a completely different variable/value/object. Insanity at it's best. Here is a great mumps tutorial [uni.edu] for those of you that aren't familiar & for those of you who only know "modern" languages, it's a timely Halloween horror show...
Re: (Score:2)
The Daily WTF features a few MUMPs, uh... code. A shorthand overview [thedailywtf.com] and a collection of MUMPS articles [google.ca]. If it wasn't so specialized and used in so few areas, they'd probably have to institute a "no MUMPS stories" policy to avoid being flooded.
Re: (Score:1)
The sad part is, aside from the security issues, the HL7 "standard" is far from standard. The same goes for DICOM. What we need is a secure standard that is truly "secure" and "standard."
Not surprising (Score:2)
1) If you don't get certain very expensive medical care, you DIE. So if you can't afford it you, you are likely to consider stealing someone else's medical insurance. Death makes people consider doing things they wouldn't otherwise do.
2) Many patients with health issues have a lot more important things to think about than finances. Or worse, the patient might be dead, so they can't complain against the charges.
3) Many providers actively avoid talking about finan
Re: (Score:1)
There's bad docs that screw everyone over for profit, but then there's the rest of them. I'm a developer of a medical record system, and one of the things that amazes every single doctor we've installed it at is that we can tell them what the insurance companies are going to make the patient pay for the drug they're thinking of prescribing (aka "the formulary"). Suddenly now they can tell the patient "I can prescribe brand X for you but your insurance will has it in their $50 tier, or I can prescribe bran
Relevant news - interesting timing... (Score:3)
http://www.utsandiego.com/news... [utsandiego.com]
This goes back 2 years, but just hit the news wires today:
LA JOLLA — UC San Diego has been targeted by a series of cyber attackers seeking access to sensitive research and other data since 2012 and officials say the so-called advanced persistent threat has prompted the campus to take steps to bolster its security.
The initial security breach, detected in June 2012, involved the use of stolen passwords by hackers targeting computer servers. University information technology security director John Denune said that no work was lost and no critical research data was accessed.
Re: (Score:2)
Oh, while it isn't clear from the article I linked, a local TV news story this morning said that they were apparently targeting medical research data.
And (as was mentioned in the article) the attack apparently came from China via hacked systems in S. Korea.
myopic CIO doesn't understand hackers (Score:2, Insightful)
"The only reason to buy that data is so they can fraudulently bill," Probst said.
Uh, what? You don't think having access to the birthdate, employer, SSN, address and medical history has any use other than fraudulent billing? Good thing he is in the medical field so he can get a CT scan of his navel. Apparently this "CIO" doesn't understand the value of the data he is supposed to be keeping safe.
This is all the more reason to NOT give healthcare providers your SSN, and to insist that insurance companies u
Sounds about right (Score:2)
"When I've looked at hospitals, and when I've talked to other people inside of a breach, they are using very old legacy systems — Windows systems that are 10 plus years old that have not seen a patch."
No surprise there; that's about how long it takes to process all the paper work (mostly due to HIPAA) to get a new system approved for use inside a hospital. The new Windows 8 purchases should be coming online sometime around 2024.
If you want to install a patch, the approval process starts all over from scratch ...