Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Crime Medicine The Almighty Buck

Medical Records Worth More To Hackers Than Credit Cards 78

HughPickens.com writes Reuters reports that your medical information, including names, birth dates, policy numbers, diagnosis codes and billing information, is worth 10 times more than your credit card number on the black market. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyber attacks on healthcare organizations. Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, says Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information. Plus "healthcare providers and hospitals are just some of the easiest networks to break into," says Jeff Horne. "When I've looked at hospitals, and when I've talked to other people inside of a breach, they are using very old legacy systems — Windows systems that are 10 plus years old that have not seen a patch."
This discussion has been archived. No new comments can be posted.

Medical Records Worth More To Hackers Than Credit Cards

Comments Filter:
  • by retroworks ( 652802 ) on Monday September 29, 2014 @11:39AM (#48020261) Homepage Journal

    Over the years I can think of many times we've received a call from our credit card companies to "report suspicious activity". Sometimes it's annoying (yes, we are travelling, please don't cancel our card) but other times it's saved us thousands of dollars.

    I personally cannot think of anyone who has gotten a call from medical establishment to report "suspicious activity" or any other kind of "fraud alert", but perhaps others have? If not, the fact that credit card companies respond to these would make them less profitable activity than defrauding companies that don't alert or respond.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      > other times it's saved the credit card company thousands of dollars.

      FTFY. Although it is possible that if it was caught in time then it saved the merchant thousands of dollars.
      But whatever the case, it definitely didn't save you thousands of dollars. Federal law makes your liability a maximum of $50 (unlike debit cards where losses are only limited by bank policy and subject to the whims of your bank manager).

      • What about debit cards that can be used like credit cards? What's the liability on those. My bank recently made a change and now all debit cards that are issued are Visa debit cards that have a valid Visa number, expiry date, and CCV/CSC [wikipedia.org] and can be used in place of a credit card for online transactions, except that the money is pulled directly from my checking account. I really don't like this feature, but all their cards are like that now.
        • by Obfuscant ( 592200 ) on Monday September 29, 2014 @01:08PM (#48021063)

          What about debit cards that can be used like credit cards? What's the liability on those.

          It's a debit card. The fact you can use it to pay for something at the checkout doesn't make it a credit card. There is no credit involved.

          except that the money is pulled directly from my checking account. I really don't like this feature, but all their cards are like that now.

          All debit cards are like that. And that's why even if your card issuer promises low liabilities for lost or stolen cards, you may have an empty checking account for the entire time it takes to resolve the problem. Compare that to a credit card where the issuer is prohibited by law from acting on any charge that you are disputing.

          • by Raenex ( 947668 )

            It's a debit card. The fact you can use it to pay for something at the checkout doesn't make it a credit card. There is no credit involved.

            It's both. You have the option [visa.com] to use it as a credit card:

            "When you sign for your purchases, you get security protections that help prevent, detect and resolve fraud. Many rewards programs also require you to sign to collect rewards points. However, if you PIN for your Visa Debit card transactions, you may not receive the same security protections for Visa Debit card transactions not processed by Visa."

          • Depends where you are in the world.

            UK banks have almost all signed into a debit card agreement which gives the same protections as credit cards.

            Card fraud doesn't cost you of the bank anything. The merchants are left holding the bag (lost merchandise AND money) and often collect horrific extra fees from Visa et al on top.

        • What about debit cards that can be used like credit cards? What's the liability on those. My bank recently made a change and now all debit cards that are issued are Visa debit cards that have a valid Visa number, expiry date, and CCV/CSC [wikipedia.org] and can be used in place of a credit card for online transactions, except that the money is pulled directly from my checking account. I really don't like this feature, but all their cards are like that now.

          When you swipe a card, the merchant asks "Debit or credit?" if it's run as credit (often requiring a signature), then your liability is the same as a credit card. If you answered "debit" and provided a PIN, then your liability is the same as any other debit card.

          Another poster correctly pointed out that the money is directly pulled from your checking account, so you will be minus that money while disputing the charges.

      • Federal law makes your liability a maximum of $50

        That is only true if you dispute a fraudulent charge in writing within sixty days of the charge. If you don't notice an odd $20 recurring charge, you are screwed out of all but the last two charges. Also if your credit card is stolen, the $50 limit only applies to charges made in the first 48 hours after the theft.

    • Because under US law, credit card companies are liable for the cost of credit card fraud above a nominal amount, they have strong incentives to continuously search for and attempt to block fraudulent transactions. I don't think there is any comparable legal driver that forces health providers to bear the financial cost of similar fraud from patient info loss, nor are they necessarily "in-line" to see the exploitation of information stolen from them. Moreover, the health care industry sees their mission as
      • by MobyDisk ( 75490 )

        The merchants are responsible [nerdwallet.com] for eating the costs. Merchants are also liable for chargebacks [transactionworld.net].

        • Good points. Nonetheless, the credit card issuers still have an incentive to minimize fraud, if only to avoid the hassle of fighting with the merchants over who's to blame for the loss and how much they are liable for. They would much rather enjoy wallowing in the usurious interest rates and substantial transaction fees they charge than spend time in court with the merchants.
        • Did you actually read that story?

          "Usually, however, it is the banks that get hurt the most."

          Bottom line (and there are exceptions), merchants aren't on the hook if it's a face-to-face transaction. If it's an online transaction, the merchant usually does end up liable.

          • by MobyDisk ( 75490 )

            Did you actually read that story?

            Yes, so let me explain:

            Bottom line (and there are exceptions), merchants aren't on the hook if it's a face-to-face transaction.

            Nope! Read on to see why:

            Usually, however, it is the banks that get hurt the most.

            And how do they get hurt? In that quote, the word "banks" links to a BusinessWeek article that explains:

            issuing banks are shifting the expense of fraudulent face-to-face transactions to retailers. One reason: complaints that the buyer's signature didn't match the one on the card. These "charge-backs" drive up retailers' costs, which are ultimately passed along to the consumer, says Mallory Duncan, the NRF's general counsel.

            So the law says the credit card holder isn't liable. The CC company says they aren't liable, the bank is. But since the retailer is responsible for verifying the signature, they were at fault. Notice that it specifically says that in face-to-face transactions the retailer is responsible.

            I'm unclear why the BusinessWeek article says "shifting" since this

            • In the articles you cite, it's clear, in a face-to-face transaction, unless there's evidence that the merchant failed to observe the security protocols (i.e. the signatures clearly don't match), the bank eats the cost. The article notes that the banks have been tightening up, and not cutting vendors as much slack as to whether they observed the security protocols or not. That said, it's clear from both articles that, in face-to-face transactions, the bank eats the majority of the costs of fraud. Not so i

              • "As for your experience with photo ID, the employee should be in trouble, at least if it was Visa or MC. The merchant agreement prohibits requiring ID. You can ask for it, but if the customer doesn't want to provide it, you can't make it a condition of completing the transaction."

                A good lawyer can (and will) trivially argue that this policy facilitates fraud and therefore invalidates any blame the merchant might be taking.

          • "Bottom line (and there are exceptions), merchants aren't on the hook if it's a face-to-face transaction."

            As a merchant, I've experienced what happens on a disputed face-to-face transaction:

            It gets reversed and charged the same as card not present fraud.

            It's one of the reasons I installed a video surveillance system at the point of sale.

      • by jc42 ( 318812 )

        Because under US law, credit card companies are liable for the cost of credit card fraud above a nominal amount, they have strong incentives to continuously search for and attempt to block fraudulent transactions. I don't think there is any comparable legal driver that forces health providers to bear the financial cost of similar fraud from patient info loss, nor are they necessarily "in-line" to see the exploitation of information stolen from them. ...

        Perhaps the significant difference here is that, with credit cards, the main usage is bogus charges that have an immediate monetary value. With the medical information, there's no specific dollar amount that's been "stolen"; the value is in who's willing to buy the information. This doesn't result in any specific charge against the medical corporation or the patient, so the financial system considers its value to be zero.

        This is also what might make it difficult to fight. You can't just say that the me

    • by alen ( 225700 )

      it has only been a few years that co-pays and co-insurance got to the point where you are liable for a lot of doctor visits. 10 years ago most people wouldn't care if someone was running up medical bills under their name since they wouldn't be responsible for a dime.

      unlike credit cards where you have to fill out the fraud form or pay up

    • by jtara ( 133429 )

      I actually got a letter from a dentist saying that their office was broken into and medical records taken. I believe that's a HIPAA requirement.

  • This is even scarier if you have any familiarity with how most hospital records and/or IT departments are run.
    • by Trepidity ( 597 )

      My experience with doctor's offices has been that everything is kept on paper, and they fax things around if they need to transfer the data "electronically"...

      • by Enry ( 630 )

        Like them or dislike them, the VA has had electronic patient records since the 60s. They've had this nailed so well their software is in use in many hospitals around the country.

  • Perspective (Score:5, Insightful)

    by jklovanc ( 1603149 ) on Monday September 29, 2014 @11:51AM (#48020355)

    There is at least two ways to look at this issue.
    A. Using stolen health information is very lucrative due to the lack of security.
    B. Using stolen credit card information has become a lot less lucrative due to the increased security used by credit card companies.

    I suspect a little from column A and a little from column B.

  • by rickb928 ( 945187 ) on Monday September 29, 2014 @12:19PM (#48020603) Homepage Journal

    If Medicare practiced fraud/risk control energy marginally as will as the payments industry, they could cut fraudulent claims by 70%.

    - Does the zip code you are shipping durable equipment to when remotely match the patient's residence? If not, just a phone call might work to confirm the transaction.

    - Does the durable equipment have use for any Diagnostic code used my the patient in past?

    There are other triggers that could help.

  • ....monitoring underground exchanges..

    ...director of threat intelligence...

    Sounds like a cheap spy novel.

  • by 140Mandak262Jamuna ( 970587 ) on Monday September 29, 2014 @12:24PM (#48020647) Journal
    I have sat in many consulting rooms and examination rooms in the hospitals, with a lone pizza box computer with WindowsNT or Windows64 screen saver. All alone, the computer, its ports all freely available for me to plug anything I wanted, even spare RJ-45 ethernet ports next to it for me to plug in anything I wanted. It would be trivially simple to plug in an USB keylogger dongle to the back USB port.

    Wondering if all the hospital networks are already compromised beyond repair. If the doctors use same passwords for their hospital account as well as their personal account, they too would be very vulnerable. Some of the doctors I know are surgeons who would wield a scalpel with great confidence and would think it is routine to make a 20 cm long incision across the stomach. But are scared of the stupid computer and were mortally afraid of changing the password, or the default screen saver.

  • HL7 & MUMPS (Score:5, Interesting)

    by James-NSC ( 1414763 ) on Monday September 29, 2014 @12:38PM (#48020787) Homepage
    Even with the turn of the millennia, the vast majority of hospital systems still run on HL7 (Health Level 7 [wikipedia.org]) and MUMPS (Massachusetts General Hospital Utility Multi-Programming System [wikipedia.org] aka "M").

    HL7 isn't just a standard, but it also describes a protocol used for transmitting patient data which is laughably insecure in the state it was in when I last worked on it in the late 90's. Plain text, no validation, fire/forget, no encryption, no well, no nothing

    MUMPS, or M if you prefer, is a programming language designed by the NSA (it must have been, lol, actually it was designed by a couple of Dr's), every variable is global in nature - so if you have an admin token ADMIN, you can set that value anywhere in the running system and it won't care one bit. Rooting M systems is simply a matter of access and knowledge of M.

    Oddly, in M, you can also use shorthand, so i == if (IIRC), and it's contextual, so where in a line a value appears determines the values type, so i i i is a valid statement, where each i references a completely different variable/value/object. Insanity at it's best. Here is a great mumps tutorial [uni.edu] for those of you that aren't familiar & for those of you who only know "modern" languages, it's a timely Halloween horror show...
    • by tlhIngan ( 30335 )

      Here is a great mumps tutorial for those of you that aren't familiar & for those of you who only know "modern" languages, it's a timely Halloween horror show...

      The Daily WTF features a few MUMPs, uh... code. A shorthand overview [thedailywtf.com] and a collection of MUMPS articles [google.ca]. If it wasn't so specialized and used in so few areas, they'd probably have to institute a "no MUMPS stories" policy to avoid being flooded.

    • The sad part is, aside from the security issues, the HL7 "standard" is far from standard. The same goes for DICOM. What we need is a secure standard that is truly "secure" and "standard."

  • There are three reasons this happens:

    1) If you don't get certain very expensive medical care, you DIE. So if you can't afford it you, you are likely to consider stealing someone else's medical insurance. Death makes people consider doing things they wouldn't otherwise do.

    2) Many patients with health issues have a lot more important things to think about than finances. Or worse, the patient might be dead, so they can't complain against the charges.

    3) Many providers actively avoid talking about finan

    • by Anonymous Coward

      There's bad docs that screw everyone over for profit, but then there's the rest of them. I'm a developer of a medical record system, and one of the things that amazes every single doctor we've installed it at is that we can tell them what the insurance companies are going to make the patient pay for the drug they're thinking of prescribing (aka "the formulary"). Suddenly now they can tell the patient "I can prescribe brand X for you but your insurance will has it in their $50 tier, or I can prescribe bran

  • by jtara ( 133429 ) on Monday September 29, 2014 @12:49PM (#48020869)

    http://www.utsandiego.com/news... [utsandiego.com]

    This goes back 2 years, but just hit the news wires today:

    LA JOLLA — UC San Diego has been targeted by a series of cyber attackers seeking access to sensitive research and other data since 2012 and officials say the so-called advanced persistent threat has prompted the campus to take steps to bolster its security.

    The initial security breach, detected in June 2012, involved the use of stolen passwords by hackers targeting computer servers. University information technology security director John Denune said that no work was lost and no critical research data was accessed.

    • by jtara ( 133429 )

      Oh, while it isn't clear from the article I linked, a local TV news story this morning said that they were apparently targeting medical research data.

      And (as was mentioned in the article) the attack apparently came from China via hacked systems in S. Korea.

  • by Anonymous Coward

    "The only reason to buy that data is so they can fraudulently bill," Probst said.

    Uh, what? You don't think having access to the birthdate, employer, SSN, address and medical history has any use other than fraudulent billing? Good thing he is in the medical field so he can get a CT scan of his navel. Apparently this "CIO" doesn't understand the value of the data he is supposed to be keeping safe.

    This is all the more reason to NOT give healthcare providers your SSN, and to insist that insurance companies u

  • "When I've looked at hospitals, and when I've talked to other people inside of a breach, they are using very old legacy systems — Windows systems that are 10 plus years old that have not seen a patch."

    No surprise there; that's about how long it takes to process all the paper work (mostly due to HIPAA) to get a new system approved for use inside a hospital. The new Windows 8 purchases should be coming online sometime around 2024.

    If you want to install a patch, the approval process starts all over from scratch ...

One good suit is worth a thousand resumes.

Working...