Recently, security vendor Finjan discovered 500MB of interesting data while trolling for Malware and performing other research. What makes this data interesting is that it is medical related, not the normal credit or debit card information or social security number information.
Medical related data... the next threat or just another example of info for sale? (IMG:J.Anderson)
Finjan has found some wonderful caches of data and various criminal toys online in the past. This recent discovery is interesting, as it is one of the few times medical information was discovered live. The data included healthcare and business related data, as well as personal information (stolen Social Security Numbers) for patients. Like credit cards, this data is being sold to the highest bidder online. The data was discovered on servers located in Argentina and Malaysia.
The data that was discovered in logs contained Citrix credentials, which enable access to systems in one well-known US hospital. The Citrix login access is based on Single Sign-On (SSO) method that enables a user to authenticate once and then access all resources inside the organization. "We believe it enables unrestricted access to different types of data, including patient data," Finjan said.
"We also found data of a publicly owned healthcare system in the US. This premier, multi-faceted healthcare organization owns, leases and manages hospitals, nursing homes, physician practices, home health agencies, radiation therapy facilities, physical therapy facilities, and other healthcare-related operations," they explain in a report on the discovered data. Adding, "[The] log contains Citrix credentials that enable access to systems of this US healthcare institution. After authentication, we believe resources inside the organization (including patient, treatment, and financial data) can be accessed freely." There were also OWA (Outlook Web Access) accounts discovered, offering up internet access to medical related communications.
From this point, you can look at the FUD. As is mentioned in the Finjan report, “Some of the implications of stolen medical and patient data include: illegal and/or bogus treatments; obtaining prescription drugs for the purpose of selling them; loss of health coverage for the victimized patient; inaccurate records of victimized patients, which could result in incorrect and potentially harmful treatments.”
The reality is that most of the discovered medical information will result in HIPAA violations and fines. Medical networks are still struggling to reach HIPAA compliance, which in short, demands that any personal or sensitive information be protected and only accessible to those who need it. Will you see false medical treatments if this information is abused? Maybe, but wow the press will fall all over themselves when, if, it happens.
Sadly, it does not take a security expert to see how this information was obtained. Doctors and medical professionals work constantly, almost round the clock. Public networks, open networks, rogue networks, all provide a place for this information to be captured and stored.
Most health organizations have decent security in place, so direct attacks even with valid access, would offer mediocre threats at best. Larger hospitals use segmented access, so patients are protected from misdiagnoses. While it is far from the best security in the world, you have to admit they are working hard at it and improving it.
While Fijian’s discovery shows that there is more information valuable to criminals than simple credit fraud, the risk of ID theft is still far higher than rogue medical treatments.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story