Not Just Credit Cards, Hackers Are Now Stealing Medical Records

The spread of one MK’s surgical procedure over the social media is a new kind of invasion of privacy, but theft is mainly used for blackmail and resale

An illustrative photo of a medical professional at a hospital.
David Bachar

News that a Knesset member recently underwent a medical procedure was leaked to the media and onto social networks within days. Given that most people would prefer their medical information remain private, the leak presumably caused great embarrassment to the MK and his family. But they were not alone in being victims in a new hacking phenomenon – medical records.

Barely a week passes without reports of a medical institution, insurer or database being hacked. The hackers are usually of the criminal sort, in other words, their motive is financial, not ideological, though they can be both.

Two weeks ago, the Israeli data security company MadSec identified a major attack by activists from Tunisia and Algeria on Israel. The hackers, according to MadSec, obtained the credit information of Israelis belonging to major health maintenance organizations, and tried (unsuccessfully) to attack one of Israel’s banks.

The hackers claimed to have achieved remote control over an HMO’s computer system – and posted a clip on YouTube to prove it. They also published screenshots of patient accounts.

The gap between ideological and criminal hacking is small, says MadSec manager Doron Sivan. Most coordinated attacks against Israel aren’t terribly sophisticated, he says, and they’re usually DDoS (Distributed Denial of Service,) an attack designed to overload a system to the point of collapse. But there’s substance beneath the smoke. Stolen data soon appears on the internet for sale. “It starts with an ideological attack on Israel, but quickly turns into crime, in net terms.”

The scale of medical hacking is huge. Here are just a few examples.

In January, the data of 11 million users was stolen when Blue Cross pharmaceutical company was hacked. In February, a Los Angeles hospital paid hackers $17,000 – in bitcoins – to have stolen files returned. In June, United States hospitals management company Banner Health reported that data of 3.7 million users had been stolenm including names, birthdates, insurance policy numbers and so on. That same month, a hacker put up 655,000 medical records for sale on the dark web.

In July, Ukrainian hackers announced that they’d broken into a urologist’s database of in Ohio and lifted 156 gigabytes of information, including test results and contact information. That month, another medical database with 23,000 clients was offered for sale on the dark web.

According to the Institute for Critical Infrastructure Technology, some 47% of American medical records were hacked in the past two years. About the same proportion of data managers admitted to another research company, ESET, that their firms had suffered a cyber event.

Valuble commodity

Why are hackers suddenly so hot for medical data?

Medicine is big business. According to ICIT, 18% of America’s gross domestic product goes to healthcare. IBM investigators prowling the dark web discovered that a medical record is worth more than a credit card number. A complete record, with name and history and data, is goes for about $60; a single social-security number is $15, while a credit card number will set you back a mere $1 to $3.

Financial and medical information are generally personal and sensitive, says Shahar Daniel, CEO of Safe-T, a data security company that focuses on the medical industry and recently won a large Health Ministry contact. “If you have secrets, that is where they will be. if you have something that can cause you trouble, it will probably be there too this is tradable information,” Daniel says.

How can it be used?

Blackmail, for one – of an individual, or a company. No firm, pharmaceutical company, insurer or hospital wants information stolen; it may pay ransom to get it back. In fact, ransom hacking is all the rage, Daniel says.

In some cases, clever hackers infiltrate a system and encrypt the data. Want your data readable again? Pay.

In contrast to banks or other financial players, which have some 40 years of data security experience under their belts and are heavily regulated, medical institutions are apparently easier to hack, whether by encryption, classic phishing or simple data theft, says MadSec manager Doron Sivan.

Also, the financial system is stuffed with money. Medical systems are crying for resources. Finance companies are used to protecting money; medical systems figure the victim is, basically, “just” the patient, says Daniel. That may be changing. Having realized they can get sued, hospitals are starting to worry about information leakage, he adds.

It isn’t just a matter of awareness and resources. Medical systems are more vulnerable because of their structure – their network architecture. Hospitals today are entirely computerized, from reception to your blood test in the lab and your vascular scan. Every single machine is a potential entry point for hackers.

The Israeli startup TrapX published two reports on the topic, both called, “Anatomy of attack”. In the second, the company writes that hackers can use positively doddering old worms – the kind that antivirus programs ignore by now – inside which they hide more sophisticated weapons to exploit Windows-based systems. Some of the medical equipment the company examined had no protection at all – the hackers didn’t need anything sophisticated to get in. TrapX found signs of hacking in X-ray machines, for example.

It is not rare for a hospital to buy X-ray machines that come with an old Windows operating system, with no software updates and default passwords. For hackers, that is like leaving the door wide open and posting a “Break into me” note on it.

Two investigators, Mike Ahmadi of Synopsys and Billy Rios of Whitescope, checked a Windows-based medical information management system called X-per made by Philips and found 460 vulnerabilities, including 360 serious ones. Some made the system vulnerable to even novice hackers, they said. Philips put out an update to solve the problems.

Catastrophic shutdown

“Medical equipment and medical cyber kit should be categorized as crucial infrastructure, because in contrast to other systems, shutdown is catastrophic,” says Lior Ateret, manager of the GE cyber security research lab.

One difficulty is insulation: a power station can run without internet but a hospital can’t, and even the medical staff can pose a security challenge. “Do you know how doctors exchange opinions? Over Whatsapp,” sputters Ateret.

Then there are the technological challenges – a CT file can be hundreds of gigabytes. Go encrypt that.

Beyond the economic facet of cybercrime, there’s the aspect of remote control. Imagine a hacker gaining control over your pacemaker. Think that sounds ludicrously paranoid? In 2013, former U.S. vice president Dick Cheney had doctors disable the wireless capacity in his pacemaker to thwart potential assassination by hackers.

Not convinced? In 2012, Congress began fretting about malware being employed on medical devices. Hackers have long since demonstrated their ability to remotely monkey with insulin pumps and infusion.

And there’s always the possibility that, for whatever reason, hackers might gain remote control of a hospital system and begin changing prescriptions or dosages or test results. It isn’t known to have happened yet. but it’s food for thought.