
Why Criminals Target Patient Data - gk1
https://www.protenus.com/blog/a-virtual-goldmine-why-criminals-target-patient-data-part-1
======
ch4s3
The lead(lede) is burried in part 2 [https://www.protenus.com/blog/a-virtual-
goldmine-why-crimina...](https://www.protenus.com/blog/a-virtual-goldmine-why-
criminals-target-patient-data-part-2)

the tl;dr is

Sell patient info repeatedly on the black market, using the profits to fund
other activities

Obtain expensive medical equipment, prescriptions, or procedures

Commit tax fraud

Expose or blackmail specific individuals, such as politicians or celebrities

Receive medical care

Undergo surgery

Purchase or sell prescription or controlled drugs

*edit grammar fix

~~~
ubernostrum
s/lead/lede

"Lede" is the newspaper term, "lead" refers to a toxic metal element, or to
someone who is followed.

Also, the second part basically just says "they sell them, they're worth this
much", but doesn't really get into why others are willing to pay that much.

~~~
DanBC
> "Lede" is the newspaper term, "lead" refers to a toxic metal element, or to
> someone who is followed.

If you're going to be pedantic you should at least be correct.

Lead here is fine, especially since lede is a neologism.

[https://www.merriam-webster.com/words-at-play/bury-the-
lede-...](https://www.merriam-webster.com/words-at-play/bury-the-lede-versus-
lead)

> Although evidence dates the spelling to the 1970s, we didn't enter lede in
> our dictionaries until 2008. For much of that time, it was mostly kept under
> wraps as in-house newsroom jargon.

~~~
tptacek
In fact, lede is a deliberately misspelled version of "lead"; like TK, it
exists to be picked easily out of copy without being confused by the real
text.

So it's especially strange to criticize the use of the word "lead".

------
stcredzero
I read the article and didn't catch what the criminals are doing with the
data. So ransom attacks are a diversion so they can exfiltrate the data
quietly. Are they engaging in identity theft? Are they blackmailing people?
What exactly are they doing?

EDIT: Prior to Snapchat, I envisioned an iOS application that would track the
"chain of custody" of images and electronic documents. iOS isn't perfect, but
it is one of the more secure platforms for this kind of app. A cloud-based
server would manage keys, which would only be available per-use of each
document. Is that what protenius is doing? Such a system would provide ample
data for detecting fraudulent use of medical records.

~~~
ch4s3
The answer is in part 2 [https://www.protenus.com/blog/a-virtual-goldmine-why-
crimina...](https://www.protenus.com/blog/a-virtual-goldmine-why-criminals-
target-patient-data-part-2)

------
alnitak
I don't mean to be condescending but the only thing I learned from this
article is this 88% statistic (and the linked source timed out while trying to
load it)

This seems like marketing speak at its finest, trying to land some of the
readers' within the customer target demographic of this company.

~~~
halcy0n
I actually got the article to load but it also alludes to some other study
that says 88% again with no link to the source material.

Another "source" on that linked article just takes me to an email contact
form.

While I do not agree that hospitals are lacking in their security practices
and that most EHRs are archaic pieces of software with little concern for
security I find a lot of what this article presents as word of mouth marketing
garbage.

I also take issue with the fact that this article does not offer any solution
to this problem other than 'get good scrub'

------
JusticeJuice
I'm completing my thesis on EHR systems, and poor security is a huge issue for
almost all healthcare software - but it's a symptom of a larger issue - the
cost of distributing new software to healthcare institutions.

------
jonjlee
"Victims can easily spend thousands of dollars and hundreds of hours simply
trying to put their life back together."

While that may or may not be true, this particular post certainly is nothing
more than a piece of propaganda. For example, HIPAA regulations require PHI to
be encrypted in transit and at rest, contrary to what this post tries to scare
readers with. In general, healthcare organizations tend towards being
extraordinarily conservative when it comes to security and require providers
to jump through unnecessary hoops tO access data. Citrix seems to be deployed
widely across hospitals, which is a pretty blunt security iinstrument for
things like even access to email. It's true that there is tons of work to be
done to improve security and access to healthcare data, but for pretty much
none of the reasons stated here. Lastly, how exactly is patient data a virtual
gold mine? Given the risk of dealing with federally protected data, is there a
marketplace for actually selling stolen PHI for a reasonable return?

~~~
ch4s3
I work in the space, and can say for certain that while everyone talk a good
game about their encryption, and compliance policies, the reality is often a
bit different.

~~~
cnnsucks
Indeed. If you believe HIPAA has ensured everything is encrypted you've been
suckered by the potemkin village that is EHR compliance pencil whipping. The
work is farmed out to all sorts of fly-by-night shops that are expert at
passing the audits and filling out the applications that make the grant money
flow and get the necessary boxes ticked with the feds.

~~~
ch4s3
It kind of depends, I think. I work with some really great companies who take
this stuff very seriously and do a really good job. There is however a
gigantic attack surface. The vulnerability to plain old spear phishing alone
is gigantic.

Additionally a lot of hospitals have too few, poorly paid and trained IT staff
running their in house infrastructure. This is a big mistake, but they think
doing it this way is more secure.

And, as you suggest, there are some bad actors. Fortunately there's been a lot
of consolidation on the EHR side that's wiped out a lot of the fly by night
operations. Third party contractors, are of course another story and a mixed
bag.

------
cnnsucks
Add no point in this piece of clickbait will you learn "Why" criminals target
patient data.

