Internet of things (IOT) devices generating, storing or processing medical records could be exploited, and each record could be worth up to $250 per patient.
The $250-per-IOT-medical-record figure comes from John Halamka, chief information officer (CIO) of the Beth Israel Deaconess Medical Center and chairman of the New England Healthcare Exchange Network, as he was being interviewed for IT World in the wake of the 4.5 million patient record privacy breach at Community Health Systems by hackers in China.
“If I am one of the 50 million Americans who are uninsured … and I need a million-dollar heart transplant, for $250 I can get a complete medical record including insurance company details,” he said. As long as personal details like age, weight and height are approximately correct, a person could use the stolen data (and a standard fake ID) to convince a hospital they are insured and receive treatment, Halamka continued. (“Why would Chinese hackers want hospital patient data?” by Martyn Williams, August 18, 2014 – IDG News Service)
At 2014’s DEFCON security convention healthcare security researcher Shawn Merdinger demonstrated how medical devices could expose personal health information to hackers. The types of devices he looked at included anesthesia carts, lab systems, refrigeration storage, PACS (imaging/radiology), MRI/CT, cardiac defibrillators, infusion pumps, nuclear medicine systems, fetal monitors and integration points with monitoring systems – all with their own issues. In one example, he located more than a thousand of these devices connected and listening after tickling just one exposed workstation plugged into a hospital group’s wide open network. (“Just What the Doctor Ordered?” by Scott Erven and Shawn Merdinger, August 8, 2014 – DEFCON 22)