Hospital Data and Patients Are Vulnerable to 'Dark Web' Hackers
It's relatively easy for cybercriminals to break into healthcare networks and steal records or hold patient data for ransom.
Hospitals have gotten better at preventing some mistakes. Nurses now scrawl on patients skin with magic markers or affix big red sleeves to identify the right body part before surgery. Patients show ID at the pharmacy counter before getting powerful cold medicine or addictive pain-killers.
But when it comes to cybersecurity, the health care industry is batting less than zero. Cybercriminals are sneaking into more and more health insurance databases and hospital networks in recent years, stealing the personal health records of tens of millions of Americans.
The reason: it's easy, according to James Collins, co-founder and senior fellow Institute for Critical Infrastructure Technology.
"The financial sector got their act together, so hackers migrated to the health sector," Collins said. "There's here's a huge market for that information and the health sector doesn't protect their data."
And while it may be easy to replace a credit card, the affect of losing a health record can last a lifetime.
A new report by the institute "Your Life, Repackaged and Resold" found that more than 113 million medical records were stolen in 2015, with 100 million coming from three attacks against Anthem, Premera Blue Cross and Excellus Health Plan.
Victims of the crimes receive limited or no help from the government or healthcare organizations because consumer protections are not well defined in the case of medical identity theft, the report found.
The stolen health records are sold and resold on the so-called Deep Web, a hidden electronic black market, for years after the initial breach.
Sometimes stolen records can tear apart families.
In one case, a pregnant woman used a stolen medical identity of a Utah woman, Anndorie Cromar, to pay for maternity care at a Utah hospital. Because the infant was born with drugs in her system, child protective services assumed custody of the baby.
But because of the fraudulent medical identity, the state assumed that the infant belonged to Cromar and that Cromar was therefore a drug addict and negligent parent. As a result, Child Protective Services attempted to assume custody of Cromar's actual children. Anndorie Cromar had to undergo a DNA test to remove her name from the infant's birth certificate, and she spent years correcting her medical records.
In some cases, the victim is an entire hospital. Hackers will infiltrate a system and then hold the data for ransom, demanding payment in money or in some cases in Bitcoins. This phenomena is called a "ransomware" attack.
In February, Hollywood Presbyterian hospital in Los Angeles was the victim of a ransomware attack. The hospital was forced to shut down and ship patients elsewhere until it could pay $17,000 to the hackers.
WATCH VIDEO: How Hackers Are Using Wireless Mice to Steal Your Information
Other attacks followed at Chino Valley Medical Center in Chino, Calif., Desert Valley Hospital in Victorville, The Ottawa Hospital in Ottawa, at MedStar Healthcare in the Washington, D.C. area, and at numerous other healthcare facilities.
"It's all because someone at the billing department at a hospital clicked on an email that had a puppy, a baby or a spearfishing email," Collins said.
In recent months, some clinics and insurers have been targeted by lawsuits from patients who had their records stolen. Even though few patients have come out publicly, they will likely face consequences in the years to come, according to Josh Corman, director of cyber statecraft at The Atlantic Council and a member of a Health and Human Services cybersecurity committee.
"The type of information is a stepping stone to other types of compromise later," Corman said. "It could be your a social security number, city of birth or other things you may use in bank security questions. It's all the stuff around your medical history."
Corman said that hospitals and health insurers have embraced electronic medical records for their convenience and efficiency, but failed to keep up with security.
"This is our four-minute warning," Corman said. "At the moment, people have the expectation that their information is secure."
The next phase of cyberhacking in the health world is medical devices themselves. The Food and Drug Administration recalled an insulin pump earlier this year because it was built with an insecure Wi-Fi connection, leaving it vulnerable to hackers who might want to harm a patient.
"At the moment, people have the expectation that their information is secure," Corman said. "A sober reflection that even with (medical privacy laws) an hi-tech, the adversaries are still succeeding."
In fact, sometimes medical privacy laws work against correcting errors from stolen identity.
Jake Henshaw, a military recruiter from Texas, pleaded with a Colorado hospital to find out about several $3,000 drug detox treatments for which he was billed. Henshaw was stationed in Germany at the time, preparing to deploy to Afghanistan.
"I had to get my commanding officer to write a memorandum stating I was present in Germany when the visits happened," he said. "The Army was trying to get me to change my social security number."
Henshaw said the hospital billing administrator wouldn't budge.
"It was a miserable experience. You just have to just keep trying to have enough kindness and sympathy to actually bend the rules to assist you. That's what I've done multiple times."
Henshaw purchased an identity theft monitoring service from the firm LifeLock, which keep tabs on unauthorized use of his accounts.
In Henshaw's case, the culprit was his drug-dependent younger brother, who used Henshaw's social security number and birthdate for treatment and prescription drugs. What wrankles Henshaw was the lack of adequate checks by the hospital.
"When you rent a car, you have to have a drivers license, a second ID and a credit card," Henshaw said. "In the hospital, they don't do that. They cannot impede treatment to someone who needs it. There has to be something done. Someone needs to figure it out."