Register for the 5th NLP Summit, a Free Online Conference on Sep 24-26. Register now.
was successfully added to your cart.

What Are Hackers Seeking in Your Medical Records?

May be paper-based patient files are not shareable, but they could be more secure than Electronic Health Records (EHRs). Your EHR contains exactly what hackers are seeking. It contains almost all your information. You can cancel your credit card, but it is very hard to change your healthcare record. Breaching your health record could mean a lifetime blackmail for you.

To know what healthcare data might involve, just imagine this simple HL7 message for Admission, discharge, transfer (ADT) and try to extract as much data as you can:

MSH|^~\&|EPICADT|DH|LABADT|DH|201601211226||ADT^A01|HL7MSG00001|P|2.3| EVN|A01|201601211223|| PID|||MRN12345^5^M11||APPLESEED^KEHLER^A^III||19710101|M||C|1 THOMSON STREET^^LEWES^DE^53005-1020|GL|(414)379-1212|(414)271-3434||S||MRN12345001^2^M10|123456789|987654^NC| NK1|1|ANN^LEHLER^J|WIFE||||||NK^NEXT OF KIN PV1|1|I|2000^2012^01||||004777^SAINT^JOHN^J.|||SUR||||ADM|A0|


What are they seeking?

Can you understand now what they might be seeking in your healthcare data and what they could know?

From the previous simple message, we can know the patient’s complete demographic data (name, address, date of birth (DOB) and contact information). We can know also the “next of ken” data who is his wife in this scenario. Moreover, we can know the date and time of the visit and the name of the hospital and its location and the event that happened.

Other health records or messages may contain the past medical history, allergic reactions, insurance and billing information.

I always prefer looking at the HL7 message structure to know what your health record contains and what they might capture:


Trigger message
EVN Event Type
PID Patient Identification
[ PD1 ] Additional Demographics
[{ ROL }] Role
[{ NK1 }] Next of Kin / Associated Parties
PV1 Patient Visit
[ PV2 ] Patient Visit – Additional Information
[{ ROL }] Role
[{ DB1 }] Disability Information
[{ OBX }] Observation/Result
[{ AL1 }] Allergy Information
[{ DG1 }] Diagnosis Information
[ DRG ] Diagnosis Related Group
PR1 Procedures
[{ ROL }] Role
[{ GT1 } ] Guarantor
IN1 Insurance
[ IN2 ] Insurance Additional Information
[{ IN3 }] Insurance Additional Information – Cert.
[{ ROL }] Role
[ ACC ] Accident Information
[ UB1 ] Universal Bill Information
[ UB2 ] Universal Bill 92 Information
[ PDA ] Patient Death and Autopsy


What they can do with the data?

Using the stolen data on your health record, they issue fake IDs which can be used to fabricate insurance claims, getting free care, prescriptions or medical devices.

Some hackers sell the stolen data on the black market or the so called “dark net”.

Relocation and immigration dreams have forced some immigrants who have medical problems to hack PACS servers and steal patients’ X-rays and use them as their own to be able to pass the medical exams required by the countries of destination.


Shocking facts and figures:

Different reports can show shocking facts and figures:

  • Boston’s Beth Israel Deaconess gets hacked every seven seconds.
  • In 2017, the U.S. Health & Human Services Department reported 79 security breaches. Each one affected at least 500 patients.
  • In 2016, U.S. Department of Health & Human Services – Office for Civil Rights reported that the medical information of more than 155 million Americans has been potentially exposed without their permission through nearly 1,500 breach incidents.
  • Since 2010, Illinois has witnessed 100 breaches. One of them affected 4500 patients.
  • In February 2015, 78.8 million records owned by Anthem healthcare insurance were hacked.


How much does my health record worth?

Medical identity is very valuable in the black market and the dark net due to many reasons. Credit card identity theft is known at once, accordingly the credit card is canceled immediately. On the other side, medical identity is not known immediately and accordingly the owner can be abused for a lifetime.

Stolen social security number rate is 10 cents, stolen credit card number can be sold for 25 cents while the medical identity can worth 10 to 20 times this value.

Some reports stated that a complete Medicare or Medicaid record can value up to $500.


Not only Software

Hardware and medical devices were exposed also to hackers’ trials including insulin pumps, pacemakers and defibrillators.

In US, a bed in a large hospital can have up to 15 connected devices. Knowing that a large hospital can have up to 5000 beds, we can then imagine the amount of data we have to secure.


Security standards

All medical devices and medical software applications have to guarantee the availability of Protected Health information (PHI). Each country has its own set of regulations, standards and legislations to safeguard health information.

Health Insurance Portability and Accountability Act (HIPAA) of 1996 is United States legislation that safeguard medical information.

In Canada, the Personal Health Information Privacy and Access Act (PHIPAA) guarantee the confidentiality, privacy and availability of the health information of the meant patient.

ISO 14971 is an ISO standard for the application of risk management to medical devices.

ISO 13485 is an ISO standard that represents the requirements for a comprehensive quality management system for the design and manufacture of medical devices.


Who’s the criminal

Most healthcare data attacks appeared to come from inside the facility. This means the hacker could be a doctor, a nurse or one of the administrative staff.   In many cases, the trials ended up to be a revenge organized by an ex-staff member who just wanted to screw-up the system. It has been proved that many physicians google their patients. This means that physicians also have their curiosity as human beings which could be a motive for trying to breach the patient’s data.


Hackers’ techniques

The current year has witnessed very strong ransomware attacks. The emergence of “Bitcoin” helped in the wide spread of such type of attacks.

Hackers simply replace the encryption keys with their own, then blackmail hospitals to re-permit them to have full access to information. The victims are usually facilities which need real-time access to undergo critical and emergency operations.

Spoofing attacks are used to steal healthcare data. Hackers impersonates another device or user on a network in order to launch attacks against network hosts.

Another famous type of attacks is the man-in-the-middle attack (MITM). This is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.


How to protect your data?

Professional software houses use different methodologies to protect personal health information like encryption and strategic data scrambling. In addition, traditional methodologies may be used like using firewalls by the facility itself.

From my point of view, one of the best methodologies to secure data, is raising the awareness of all the working staff. For example, let us imagine a hospital using a front-end medical transcription software which is connecting to a Citrix server. The application is supposed to allow eight intermittent connections at a time and is supposed to write 160 words per minute. Suddenly, the performance decreased markedly and could allow only two intermittent connections at a time and the performance fell to 60 words per minute. If the physician is well trained and has enough awareness, s/he has to suspect that the network traffic is abnormal, suggestive of an external intrusion. The physician has to report this at once to the network/security guys who can monitor the network traffic and figure out if there are any intrusion trials.

Staff training, education and awareness could be the best solution to the increased hacking trials. The presence of strong legislations, regulations and standards for medical devices and applications are also important, in addition to the presence of firewalls and traditional local network security policies. Some facilities impose some additional security rules like blocking USB devices and memory sticks.

Mediscore: What if you could choose a hospital based on the criteria you cared?

Alejandro Alvarado, Michael Lima, Sterling Jay Scott and Matthew Pineda were the winners of the Biola Hacks, the first ever hacks to...