Schneier on Security
A blog covering security and security technology.
« Hijacking in New Zealand |
| U.S. Post Office to Enable Wholesale Surveillance of Mail »
February 20, 2008
Foreign Hackers Stealing American Health Care Records
What in the world is going on here?
Foreign hackers, primarily from Russia and China, are increasingly seeking to steal Americans' health care records, according to a Department of Homeland Security analyst.
Mark Walker, who works in DHS' Critical Infrastructure Protection Division, told a workshop audience at the National Institute of Standards and Technology that the hackers' primary motive seems to be espionage.
Espionage? Um, how?
Walker said the hackers are seeking to exfiltrate health care data. "We don't know why," he added. "We want to know why." At the same time, he said, it's clear that "medical information can be used against us from a national security standpoint."
How? It's not at all clear to me.
Any health problems among the nation's leaders would be of interest to potential enemies, he said.
This just has to be another joke.
EDITED TO ADD (3/13): More
Posted on February 20, 2008 at 12:30 PM
• 58 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Seems more likely to me that they would be stealing health care records to sell them to insurance providers. You know, so they can adjust premiums accordingly based on risk.
Ah, but if your problem is related to national security, you can apply for a DHS grant.
I don't know about you, but my health records include my social security number as well as my date of birth and plenty of other personal information. I think it is far more likely that the hackers are after information such as this as part of identity theft scams.
Specific personal health info could be used very effectively to telephone people, intimidate them ("no one is supposed to know that! If they know that, what other secrets do they know about me") and coerce behavior that could assist espionage agents. If I were in espionage, I could think of lots of ways to use health info to talk to neighbors, pretend to be a doctor, manipulate their real doctor, or attempt to gain access to emergency contact or financial information.
Another possibility is they found some malware on some health-record systems, and assumed they were there because of the purpose of the machines, instead of them just being badly-secured systems and hence available for exploration/exploitation.
Health records could contain embarrassing information or information that an employer could use to determine if they should employ you or not. But a national security matter? Don't think so.
I'm inclined to agree with the identity theft angle, though it seems a roundabout way of going for the data.
Still, one wonders if there's either population data (common names, ethnic diversity within a community) that might be more within the usual DHS dog-and-pony show.
Any health problems among the nation's leaders would be of interest to potential enemies, he said.
*shrug* maybe: Dick Cheney is allergic to arsenic. I dunno....
"I don't know about you, but my health records include my social security number as well as my date of birth and plenty of other personal information. I think it is far more likely that the hackers are after information such as this as part of identity theft scams."
Oh, I understand why criminals might want this information. It's the "national security" angle that I don't get.
The records are more useful to people who want to commit financial fraud then they are to "enemies of the state".
They might want to check their own plans for coverage for treatment of severe paranoia.
If "national security" gets the government to enforce better security on medical records, that's fine with me.
I'm mostly with Pat Calahan on this one, except instead of "apply for DHS grant" one should read "propose an increased DHS budget".
Well, he wants breaches reports so he can justify budget increases:
Walker urged the audience to report data breaches to the authorities. ...
DHS wants to build a database of health information system intrusions so it can better analyze the threats and develop countermeasures, Walker said.
And those spies probably want to learn our weak points and then attack us. Or our leaders (!!) God save the all-protecting DHS which thinks of us day and night.
I was surprised when I saw the story, too, so I contacted Mark Walker of the DHS to get clarification. A spokesperson told me that the story was inaccurate in a number of respects. I blogged about what the DHS spokesperson told me at http://www.pogowasright.org/blogs/dissent/?p=794
It is feasible* that with enough health care records one could derive epidimiological data that could identify an optimal target for biological or chemical agent.
* By feasible, I mean that I could feasibly win the next movie plot contest with this concept.
I'm sure that the intent is to file fake health care claims, and trick the insurance companies into paying. Given the complete medical history of a patient, it's not hard to construct plausible-but-phony medical bills from fake providers.
My family's experienced this; some shady or phony lab evidently got hold of our information and filed claims with our insurance company for all kinds of tests. The insurance company bounced it back, and my wife's had to deal with straightening it out. They probably could have gotten away with it if they weren't so greedy, claiming that my wife, daughter, and I all received services on the same day, for example.
I think the national security angle is that one military computer and one non-military government computer got hacked.
No, that doesn't sound like a reason to come up with a specifically health-information-related protection plan, but that's the best I can do...
@ It's the "national security" angle that I don't get.
Actually I don't get it either ~ but I have some speculations which I view as insight. The type of mind that works well in a governmental setting considers medical to be and Precious and Sacrosanct. ( caps intended ) The article states that "poor security practices among those who use health information systems and disgruntled employees are as much of a threat as cyber intruders" thus as a justification, the department heads report a 'nat sec' threat in an unconscious incompetence that is a normal human response to failure. In other words, seek to justifiy their existence.
Actually I go for the [ssn+realname/current] basis, but the ungraspable aspect of citing nat sec comes from the greymeat between the human ears moreso than the facts of the incident.
How could medical records be used for espionage?
"Major Smith, we know that you and a pretty young sergeant in your unit were treated for gonorrhea while stationed in Iraq. If you do not provide us with the information we want, we will provide this information to your wife."
"Senator Jones, we know that in 1998 you were treated for hepatitis related to shooting heroin with a DC prostitute and not using clean needles."
"Any health problems among the nation's leaders would be of interest to potential enemies, he said."
Any health problems among the nation's leaders would probably already be publicized by the media. Come on - these guys can't get a mole removed without it making CNN's headlines.
Another use of medical records:
If THEY know that, say, my mother is in need of a really expensive treatment, they may assume that I will be easier to bribe/recruit than another guy.
Another use would be biological weapons research
I go with identity theft...also, how about targeting victims e-mail with "prescription drugs" they need at a cheaper rate...?
Doesn't everyone know that the communists are after precious bodily fluids?
Dr. Strangelove called.
California has a law in the works that would prohibit insurance companies from demanding medical records from doctors so that the insurer could then deny sick people coverage. The reason behind this is an insurance group which has been doing exactly that. Okay, close down one supplier, and another one opens ups. The health insurance racket would not hesitate to buy stolen information, I am sure.
Apologies in advance to the good professor if I am wrong, but if recall correctly, Ross Anderson wrote somewhere that were he to attack the NSA, his first port of call would be the local hospital (in Maryland?) for background and other useful info.
Can't find a ref to it right now, but perhaps in 'Security Engineering'.
I am aware that medical transcription is sometimes outsourced to oversees companies. This would make it really easy to get your hands on.
It's possible to get a low level security clearance with a mental illness. I would be surprised if there weren't a few people in this country with higher clearances who managed to get them before their illness was diagnosed and keep them by following a government approved treatment plan. Having your national security employer know that you're being treated for a mental illness and having your friends and neighbors know it are different things. There's still a fair bit of stigma and ignorance surrounding mental illness in the U.S. More than that, though, if you're following some government approved treatment plan, keeping your clearance may require keeping it a secret.
Yeah, that's a bit of speculation, but not all illnesses are things you'd want your friends and neighbors (or even relatives) to know about, even if they don't keep you from getting a security clearance. Yeah, the article may be hyping the espionage risk, but espionage is a real, if small, possibility. It shouldn't be completely discounted.
Then there's the simple fact that not all espionage involves the government.
If you found out that, for example, someone took Depakote and Risperdal, what would you conclude from that? If that person worked for a high-tech company or in a non-secure government facility or perhaps even had a job requiring a security clearance, which he could, how might you be able to use that information? What if that person was a senior executive, likely without a security clearance, in a high tech company that did many things, including government contracts? Blackmail works and there's lots of national security information that can be collected without going directly to the source.
I don't know why the security angle was referenced in this case, but a company I know, with a well established health care unit, was at one time going to ship all employee health care data to the popular land of outsourceing, without regard to integrity, privacy, or security of the data (HIPPA standards), in clear text so to speak. Why was never revealed but it took employee complaints to stop it. Ostensibly, the data would have been "stolen" and marketed around the world for its financial value. The health care unit was later deep sixed (sold) and today we suffer from poor and expensive health care coverage.
No security angle, just greed. Sounds like a cover-up story for something that they need to blame on someone.
I guess you youngsters don't know who John Profumo was. Or simply can't imagine a mid or high-level US official succumbing to bribery because a child, spouse or lover had a healthcare problem that cost a lot of money to treat. Or can't think of a single example of where knowing what doctors and hospitals a certain official used might help in planning their assassination. Or couldn't possibly fathom introducing a biological agent into an official who would then expose vast numbers of other people in government.
And of course, the possibility that the story is false (follow the pogo link above) and DHS never actually said what was reported would never enter your minds since you're so convinced that the government is evil and intent on lying to you.
While it sounds like the the facts are murky here, I believe there is a real threat of extortion. Other than the HMO's, hospitals tend to be stand alone, local entities without the resources or commitment to focus on protecting the confidentiality, integrity or availability of patient data (try telling a doctor he or she needs to change their password every 30 days if they want continued access to electronic patient data). Hospitals are also highly susceptible to a loss of customers when there is a perception of incompetence. All the ingredients are there: poor controls around highly sensitive data and a strong motivation by hospitals to keep incidents of data breaches from the public. If I was an hacker looking to extort money from a diverse target industry in the US, I'd start with hospitals.
Just a minor misunderstanding. It's Stephen Maturin, international spy and man of mystery, who is the threat to national security. Doctor Stephen Maturin, ship's surgeon and collector of obscure physiological information...he could not possibly be any danger to anybody.
Well, I don't know what's going on here, but I do know that one health care company I worked at was the target of a targetting phishing attack designed to look like an internal corporate page.
So I don't dismiss the idea that foreign hackers are after health care information. Though my experience is anecdotal and expanding that one incident into being a general trend is a bit much.
And really, I have no idea what 'terrorists' might do with it. I think that's just the catch all for criminals nowadays. They're all terrorists.
Bruce, great respect to you for your clear-mind words. This political mass-media hysteria, when any national troubles linked with "russian" or "chineese" "cyber-terrorists" is a little bit boring, indeed.
Especially when those paranoics points their fingers at you.
From Russia with love :)
Uhm, blackmail, anyone? Health care records, STDs, psychological problems, anything that might be embarassing or threatening one's job?
If this is true:
"Even Bush's Feces & Urine - Are Classified Top Secret - All Of It Captured And Flown Back From Europe" http://www.rense.com/general72/fexc.htm
Then I suppose - stealing of health records is considered very important threat to national security in USA.
"Even Bush's Feces & Urine - Are Classified Top Secret - All Of It Captured And Flown Back From Europe"
They just don't want it falling into the hands of a witch doctor who could put a hex on the Pres.
How could medical records be used for espionage?
Simple - if you have a record of someone's doctor's appointments, checkups, prescriptions, etc, then you have a one-stop-shop to track where they have been living.
So, if it is useful to a spy to know where sensitive government employees and contractors are or have been posted (CIA, NSA, military, etc.) maybe health records are a soft way of getting that information.
I assume that there are some restrictions on what appears in someone's medical records if they're posted overseas (maybe it says, "treated by the military overseas", and not say where). But if it names the doctor and you can figure out where the doctor was, or where someone else treated by the same doctor at the same time was, you can join the dots.
Which is not to say that health records are actually being attacked (some doubt is cast on that by a post above). Just that I can see how, if you have more hacker spies than you really know what to do with, you might give this to some of them as a project. Movements of military and intelligence personnel aren't the keys to the kingdom, but they're not worthless either.
I find myself wondering if, from the standpoint of black-market marketing, the value of medical data is not twofold, comprised of both long-tooth id theft resale and mass market blackmail scams.
The long tooth scenario would be to cherry pick select inidividual records and resell these records to black market consumers who would purchase the names based on various purposes.
The mass market blackmail scheme would entail selling health care company data back to the victim (the provider that holds the data) in exchange for not selling said records on the open market and releasing the details of the intrusion to the mass media. I rather think that the first scenario (as has been alluded in earlier posts) is more likely. That said, given that healthcare comprises a large percentage of dollars spent in the US in particular and that there is currently a very widespread move to achieve increasing efficiency by putting medical records into electronic format, it is easy to see where this would be a very tempting play. I would think that publicly-owned companies with the monitoring that occurs at both the shareholder and government levels, are probably more vulnerable to blackmail attempts; but a privately-owned, market-driven (read unregulated) hospital that is in the process of aggressively converting its paper processes to electronic fails to do so with an eye to security, then it too would be vulnerable, perhaps in ways that the regulated entity would not; especially when you consider how private dollars are channeled.
Having said this, I agree with Bruce's assesment. This is not a "national security" threat; but it is a threat to the economic stakeholders who pull the strings and that might be all it takes to get a DHS bone, no?
From my point of view, the data seems to have monetary value. russia and china are not communist country, but mafia driven economies.
medical data have value, for black mailing (telling your boss, your insurance), cheap drug advertising (thanks to the huge US price of drugs). clearly good social security reduce the risk (SocSec won't drop you if you are a subprime, and if you are really sick drugs are free for you).
anyway, I don't see the hysteria really innocent. this is a very efficient background noise that feed the sense of fear of the population, and also distract it from the problem of SocSec, commercial practices, non governemental datamining...
funny to see how people are more afraid of spies than of governement and more of government than of companies, and more of companies than of family.
after all you get more chance to get killed by your wife/husband...
more to get screwed by a legal company than by a mafia. more by a mafia than by a government.
thanks for the book beyon fear, no new things inside but a good and essential remind. before the world collapse under fear.
You know, medical records could be damn useful for counterintelligence and counterinsurgency. Can you say positive ID?
Kind of makes the Google/MS hosting our health-care records online seem like not quite as great an idea as marketing would have us believe, huh?
If you could correlate health records with large enough lists of persons of interest, you could benefit in many, many ways. What foreign intel agencies wouldn't love to have a list of people in important government positions who suffer from alcoholism? Mental health problems? Et cetera.
I once worked for online advertisement. I would think this data would suit spammers who want to _target_ medications per email. If health records reveal that you have a certain medical condition then targetting the right meds to you may not only earn the advertiser an (what is called) impression but also a click on the product which makes them richer, and even more when a buy results. Aside from that perhaps merging the data with other data may verify someones existance in the database by verifying that the new data has info on the same person from the old data. This is just a minute part of larger data mining work going on, even if the value of the data isn't all high.
Blackmail. Someone with a security clearance could have a medical problem they don't want known - mental illness, HIV, STD, whatever. If you have a database of medical history you could mine it for espionage targets.
""Even Bush's Feces & Urine - Are Classified Top Secret - All Of It Captured And Flown Back From Europe"
They just don't want it falling into the hands of a witch doctor who could put a hex on the Pres."
Feces and urine can contain the medications or the byproducts of the medications that a person has used. I almost said the following yesterday but didn't because it is a kind of unpleasant rumor-mongering.
Being somewhat familiar with the side effects of psychiatric medications I've wondered more than once if GWB was on an anti-psychotic medication. The reality is that Bush isn't very bright, as his academic record shows, and the confusion he so often shows could just as easily be that lack of intelligence. It could also be drugs used for reasons other than psychiatric. What would happen if it was revealed that the President of the United States was taking some powerful, potentially mind altering medication? What if that medication was for a psychiatric disorder? What effect would that have on national security and international confidence in the U.S.? (On the other hand, I honestly do think that's something the people should be aware of when they vote. The President's health does relate to his ability to do the job. On the other side, most voters are too ignorant to actually make informed decisions on such matters, so, who knows...)
Now, just to try to step a bit back from the rumor-mongering, I do think that stupidity is the simplest explanation (until I see headlines like the above, which, of course, could just be rumor-mongering themselves, or just the hyper-paranoia that runs rampant in the Bush administration). Let me also repeat, there are non-psychiatric medications that can cause the same problems, anything from pain medication to neurological medication.
Careful. This is the #1 target for cyber terrorism. If they were to get enough intel on the Health Care system to penetrate it and do a slow subversion on it at first, the shock/fear affect would be devastating. When people can't get coverage/care because the sytem thinks they are deceased/over limit, etc. The financial billing side along needs to be strengthened.
Has the health care system improved so much that it's reasonably secure? I doubt it.
@ Lester: I think that is movie plot crap (pun intended) it I have ever heard it. Someone's been watching to much CSI.
Stealing the information in a time when people are worried about data privacy is probably fairly likely to undermine confidence, down playing the risk may counteract it.
Alternativly, if you were releasing virus' onto foreign soil as a test, or as a serious attack, it is much better to steal medical data to see the effects and how it is handled, than trying to gauge it from the outside.
Or there may be a potential for blackmail in order to coerce a useful American to turn a blind eye to, or participate in espionage.
I sincerely doubt any of these ideas are true, but there are all sorts of reasons for stealing information which may not seem obvious on there own.
There is of course probable cause to suggest that the DHS is merely trying to scare us.
Adding disinformation to a file could have undesired consequences beyond out and out blackmail. Especially if the info was seeded, then allowed to sit for months or years after the change. Let it replicate through the system.
Then leak gossip about a major public figure with an embarrasing medical condition. The condition is phony, but the records support it.
Or worse yet, a person gets dosed with a "cure" that kills him/her (penicillin to a person who is allergic, etc.) because the known allergies info has been altered.
It seems to me that all of the above are possibilities. Instead of trying to narrow down what the information is being used for, consider the answer to be, D.all of the above.
The medical records could directly benefit the Pharmaceutical Industry in China, as well as benefit emerging U.S. Chinese emerging partnerships.
Will China eventually come up to par with R&D, regulation, certification, quality, marketing, distribution, and free trade regulations, to become the world's leading drug dealer?
Imagine the resulting trade deficit two years from now, when Medicare drug expenditures go directly to China. Already, we purchase many raw ingredients for pharmaceuticals from China, but prices are low, and we have control.
Will the future see us beholden to foreign drug lords in a last gasp to satisfy our social welfare obligations and also, to seek relief in (initially) lower drug costs to reduce inflation? Arbitrage advantage favors this direction now. Later, after we're hooked, we may have no other choice. So, learn Mandarin now!
For a glimpse at Chinese pharma, take a look,
@Doesn't everyone know that the communists are after precious bodily fluids?
Here are some facts and information about the last stronghold of traditional communisim ala cold war era definitions. Let's see if you can pick out something you can use from this. One thing you will want to tell your friends is that Albania has changed a great deal in the last ten years, since communism has been thrown out. They are beginning to get actual roads, though communications through out the country still relies on gossip over the fence for most news.
The standard of living has improved a great deal since 1984; Although many of the villages in the north are still isolated and have to provide their own needs such as food and clothing by ransacking neighbouring countries, the larger cities in the central area close to the coast of the Adriatic sea have a great deal of modern conveniences such as steel axes to cut firewood an flint strikers for oil lamps. Although most of the buildings are from the Neanderthal Mason Cult, some have had European plumbing installed. We are looking forward to water tanks in the main cities so that the plumbing can be put to use.
Merchants now sell bottled water in the larger cities, where as before water for drinking was one of the major problems that everyone had. Some commercial and industial information that does not show in tourist brochures are:
1. Albania supplies electricty to some neighboring countries instead of their own people because those citizens have money. In the urban areas they have occasional electric power around wealthy citadels, but is very unstable in that it may go off at any time and be off for hours or days at a time. That sort of makes it not worth the occasional two kilovolt blast when you try to clip on at the wrong time.
2. Albania is the 7th largest producer of Chromium in the world.
3. Large cities have no heat in the winter, they just put on more clothing.
Bear in mind that 2 of the big medical transcription houses outsource close to 90% of all the business they get from hospitals and clinics to India centers. I'm talking big hospitals like the University of Michigan, the University of Virginia, the University of Pennsylvania (and about 12 of it's affiliates), the University of Arizona, The Cleveland Clinics Group where Pres. Bush spoke sometime last year I believe, and many many more. 10's of thousands of medical reports across all those hospitals, PER DAY.
I used to work for one of the big companies, CBay Systems and Services. I can't go into details for legal reasons, but understand that the security of those documents is... shall we say less than ideal..., as the company technically is not covered directly by the Health Information Privacy and Portability Act.
Data warehouses like CBay are not obliged (directly) to adhere to the privacy portions of HIPPA. Steps were taken and policies were in place at the company to prevent such loses, but I cannot say with any certainty that data loss or accidental disclosure did not happen. Legally I also cannot say any more than that.
Just be aware that medical reports as dictated by physicians go to voice servers that are not necessarily in the US. Even doctors that use handheld voice recorders, more and more they are all digital recorders. The voice files created are sent to India between 50-90% of the time to be typed, and the reports come back electronically to the US. There are plenty of chances along the way (either intentionally from within or not, or accidentally) for the information to fall into the open world wide web. I would not say it's a widespread problem, and it's not my intention to raise alarms, but to make people aware.
Do yourself a favor, and ask your doctor about how they do your medical records. You might be surprised, and don't immediately assume that because you go to a small clinic that they don't outsource their work. Roughly 40% of CBay's work was small clinics (think less than 10 employees or less than 4 doctors) and it was ALL web-based, all digital recorders or digital telephone voice answering servers, no tapes.
Also realize that despite the outsourcing of work to India, the costs for such work are not reduced. Due to language barriers and and other quality issues, the costs are much much more, ESPECIALLY if a transcriptionist types the wrong medication, dosage, allergy, etc. One transcription company (MedQuest) was sued almost into non-existance a number of years ago (I think 2000 or 2001) for over-billing hospitals for services rendered. Very large class-action suit. When people skim money from their companies, the employees and investors aren't the only ones hurt. The costs are past right onto the company customers as well. In this case, hospitals, and by extension (a very long extension I'll admit) the patients of those hospitals and insurance companies who covered them.
I think healthcare records are becoming more of a target because of the ease at which they are obtained. I work in IT security in healthcare and know from where I speak. Despite the set of HIPAA standards, security best practices are the last thing on the mind of practitioners and adminstrators within health care. This is just low-hanging fruit. They can gather it now and figure out what to do with it later.
The only thing we have managed to do is put ourselves at greater risk to satisfy the greed of the ignorant powers that be - old alpha males, fat corporate execs, 60+ yo Senators and elitests who keep their money and have homes outside the US. America is completely exposed and continues to react instead of providing hardened security to the healthcare industry. Instead of paying for this war we could have developed 300 million patient healthcare records, dental records and toxicology records for our tax payers. Oh well, just like 911 and Katrina, we will wait until we find ourselves in the midst of chemical-market warfare and wonder gosh how'd that happen?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..