Skip to main content


How 2020 Presidential Candidates Can Guard Against Cyberattacks

The 2016 presidential election witnessed unprecedented Russian cyberattacks and disinformation campaigns designed to disrupt the U.S. electoral system by influencing public opinion. The Russian goal is intended to destabilize the U.S.  through ideological activism, advancing their interest and further their political agenda. Their methods compromised computer systems of candidates and political parties using the exfiltrated data to spread disinformation and influence presidential elections.

On January 6, 2017, the U.S. Director of National Intelligence released a declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections.” According to the report, Vladimir Putin ordered a massive campaign orchestrating attacks from multiple fronts that involved spreading pro-Trump propaganda on social media to hacking the Democratic National Committee (DNC). Their methods resulted in massive data breaches within the DNC that included access to John Podesta's email f…

Why Medical Identity Theft is Potentially Lethal

Medical identity theft has been escalating dramatically where Cybercriminals have found an industry ill-prepared to adequately protect itself from the onslaught. This article will briefly discuss the various aspects of cybercrime waged against the medical industry, the reasons for it and methods for its prevention.
The medical industry as a whole has been laggards addressing security by failing to sufficiently protect sensitive information stored on lost or stolen laptops, smartphones, and flash drives. Personal Health Information (PHI) records have been compromised where hackers have now begun threatening hospital operations of hospitals and other healthcare facilities. A recent example is the ransomware attack against Hollywood Presbyterian Medical Center in Los Angeles, CA.
Another notable example is the Advocate Medical Group in Chicago where 4 million people were directly affected. Advocate Medical Group did not notify affected patients until more than a month after the theft while stating the laptops were password protected. The lost data included social security numbers, which places the patients at higher risk of identity theft. The total number of affected individuals is eclipsed only by a 2011 incident in which 4.9 million medical records were compromised when backup tapes were reportedly stolen from an employee’s car. A subsequent class action lawsuit for the 2011 event seeks $4.9 billion compensation, $1,000 per affected person.
Healthcare providers are not the only victims, in addition to them were the massive breaches involving the healthcare insurance providers of Anthem and Premera Blue Cross where 80 million and 11 million individuals were affected respectively.

The Reasons

Cybercriminals commonly chase necessary identification information such as names, birth dates and health insurance contract and group numbers they can sell for just $20 on the black market, according to researchers at Aberdeen Group. However, the lucrative identify theft kits fetch $1,500 and far more when medical data is included that can be used to obtain prescription drugs illegally and commit insurance fraud. Many of these high-end all-inclusive kits contain PHI in addition to the social security numbers, banking credentials, credit card information and PINs. This information is used to include professionally forged and custom-made physical credentials such as insurance membership cards, social security cards, driver’s licenses, passports and credit cards. Health data is a tempting target for thieves for some reasons and has become more valuable than financial information.
Unlike the medical industry, financial institutions protect their customers from liability, they also re-issue new credit cards and monitor financial inconsistencies as red flags of fraud. Medical data, on the other hand, has lasting value since it is challenging for an individual victim to do anything about resolving it or offered legal protection. Healthcare information is nonrecoverable and potentially has lethal consequences in the wrong hands. For example, victims of medical identity theft can wind up with the thief’s health data folded into their own medical charts. A patient’s record may show a person having diabetes when they don’t or list a blood type that isn’t theirs that can lead to severe diagnoses or treatments. Adding insult to injury, a victim often can’t thoroughly examine his own records because the thief’s health data, now folded into his, are protected by medical-privacy laws such as HIPAA. More than that hospitals continue to pursue victims for payments they didn’t incur and not offered legal protection in the event of fraud.
Cybercriminals traditionally have gone after financial information from medical breaches, they typically don’t care about your medical data such as cholesterol levels, surgeries, blood laboratory results, etc. That has changed in a big way and Cybercriminals have found yet another lucrative market extracting the personal health information (PHI). This is in addition to just using a credit card or Social Security number from a medical file to commit significant financial fraud, they parse the information out to different buyers.
For instance, if a patient has cancer or another serious health issue the medical data in the record could be sold to data brokers who sell information to marketers, such as pharmaceutical companies and hospitals that want to target cancer patients. The uses for medical data become even more sophisticated where the PII could be used for visas and passports, the PHI provide the physical characteristics of a person with access to high-security systems could help criminals breach them, biometrics is one example among others. Currently, over half of the identity thefts involve family member situations where an uninsured person uses a friend or relative’s insurance identification card to obtain healthcare services.


While the financial industry has implemented security infrastructures to combat Cybercriminals, the healthcare industry is laggards. Establishing a sound security program is of critical importance with the threat of cyber attacks and breaches occurring on a daily basis. Medical provider executives, in particular, the CIOs and chief information security officers (CISO) should be given the right levels of authority and be positioned so they can have the most significant impact when it comes to security matters at a hospital or healthcare system. It must be understood the C-suite execs must do more than just meet compliance standards, but need to implement security on top of compliance approach. The following should be applied:
  • The CISO – The right individual for the position, needs to be identified and brought on board then a line of communication must be established at each level of the organization. Moreover, the CISO must be given all the authority, autonomy and resources that they need to be successful.
  • Governance and The Chain of Command – Establishment of a security governance council with crucial executive leaders along with the CISO is imperative. This council will oversee the needs linking security and compliance to executive leadership.
  • CISO and CIO Leadership – One of the toughest tasks in any medical care environment is protecting patient data while ensuring clinicians access to that data in performing their job. The CISO and CIO must partner like never before, both must ensure ownership and accountability on technology risk, proactively break down barriers between compliance and security staff while being well prepared for any cyber attacks or breaches.
Medical Identity Theft is a critical issue where victims are seldom afforded legal protection to deter financial or worse, physical harm with a potential misdiagnosis. Cybercriminals have found an identity treasure bonanza where not only can they exfiltrate PII but get PHI data all in one shot which has devastating consequences. It is also an essential realization that our consumer protection laws are inadequate to protect victims of this fraud and the medical and insurance industries must do more to protect the patients they serve.