Don't Mug Me For My Password! - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
08:06 AM
Jutta Williams
Jutta Williams

Don't Mug Me For My Password!

In today's information-based world, crooks are targeting mobile devices -- and the data on them. The healthcare industry is particularly vulnerable.

For the last couple of years, I've been educating Health First employees that mobile devices are worth their weight in gold -- certainly as incredible, business-enhancing tools that make us productive anywhere and anytime. In a larger sense, they're priceless because the data they carry represents a much greater financial liability. I've challenged executives, clinicians, and IT experts to look at mobile devices not as a stylish, expensive tech asset, but rather as a million-dollar data liability. A lost or stolen device can (and routinely does) cost companies millions, I have argued. More recently, unsecured devices represent the potential for billions in remediation and restitution.

I had hoped this message would be heard -- but not by a community intent on exploiting this new reality. Recently, for example, I read about the armed robbery of a physician, who kept his life in exchange for handing over his laptop, phone, and encryption keys and passwords. I should not have been shocked -- or even surprised.

Criminals know how easily they can breach even our best defenses because of how interconnected and "available" we have become, and by how accessible and immediately responsive we as a society require our business and (in my world) clinical teams to be. It might be time for us to really consider and perhaps reassess the true costs of making data available anywhere and at any time.

[As we head into 2015, where do the greatest healthcare security vulnerabilities lie? Read Healthcare Security In 2015: 9 Hotspots.]

So what has changed? The value of medical identity information continues to grow, and according to multiple reports the target placed on the health community far surpasses other industries. 2013 evidenced a 20% increase in medical identity theft, and some industry experts suggest the reason is simple: We're a soft target, with a 50 to 1 return on each identity stolen when compared to financial identity theft. A CBS Nightly News report suggested the best quality data and most complete identity to obtain for nefarious purposes comes from the medical community; in Miami, for example, $1,000 for 100 names was the going rate.

That's low, according to those close to DarkNet communities. For $50, they say, a criminal can purchase a medical identity that mirrors their own ailments so they can seek "free" medical services that would not raise red flags to a clinician. Need a new knee? Here's a medical identity for someone who is about your size, age, and gender, and whose medical history indicates a replacement joint is in his or her future. For $250, the criminal will throw in a fake ID and insurance card to match the identity.

(Image: Ian Lloyd, Flickr)
(Image: Ian Lloyd, Flickr)

By the time the patient and insurance company victims figure out a $50,000 fraud has been committed, you'll be out of rehab and never heard from again. This is real and expensive: It's estimated to cost the industry between $35 billion and $80 billion each year. That's a big spread, you might think -- and you'd be right, because we simply don't know exactly how much of our healthcare delivery dollar we're spending on fraud.

In November, Interpol, the Federal Bureau of Investigation, and the Department of Homeland Security filed charges against Silk Road 2.0, a DarkNet site dedicated to the brokerage of stolen information, hacking for hire, and the Craigslist equivalent for all things illegal. For sale: controlled substances delivered direct to you, large- and small-caliber weapons, human trafficking, child pornography, murder for hire, and all manner of identity information.

Sadly, the original Silk Road DarkNet site had been shut down only one year earlier. The Internet will spawn another market place -- it probably already has -- and illegally obtained data will continue to retain its value.

So what have we done to change things? We've tried encrypting stored data, we've tried enforcing secure remote access and virtualization for client applications. The best and most innovative changes in our industry seek to distance the data from a device, which works great when devices are lost or stolen, but not in cases like the aforementioned robbery. All these protections were circumvented because the keys and passwords -- the means for legitimately providing access -- were also held hostage.

Imagine if the robbery victim had been a database administrator – someone who remotely manages the entire patient index -- instead of a doctor who sees a few hundred patients. Millions of individuals would have been at risk. Your average doctor probably doesn't have that level of access to raw data, so the compromise was limited to what was stored or accessed between the time of the mugging and notification to change the passwords. I don't have that kind of access either, for all the bad guys and gals out there. But if I did, I would not hesitate or advise anyone to hesitate to hand over the keys to the data kingdom if my life or the life of someone in my family was at risk. Sounds like a movie script -- and there have been a few action thrillers that make hostage-induced insider data exfiltration out to be a very cloak-and-dagger plot line.

Dark Reading's new Must Reads is a compendium of our best recent coverage of vulnerability management. Learn how a design flaw in an older version of the SSL encryption protocol could be used for man-in-the-middle attacks, how the Mayhem botnet malware kit serves enterprising criminals, why it's time to raise the bar on static analysis, and more. Get the Must Reads: Vulnerability Management issue of Dark Reading today. (Free registration required.)

On September 15, 2014, Jutta Williams joined Health First as the organization's first Corporate Information Assurance Officer (CIAO) and accepted the interim role of Chief Compliance Officer (CCO) on December 1, 2014. Ms. Williams most recently served as the Director, ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
12/31/2014 | 2:00:29 PM
The movie "Ghost" (1990) and Passwords
I just wanted to throw in the discussion that password theft was part of the 1990's movie "Ghost" (Patrick Swayze and Demi Moore). The main character was murdered for a list of accounts and passwords.
User Rank: Ninja
12/29/2014 | 12:55:04 PM
Protecting your data like your money
So what are ways possible muggies can protect not only themselves and their data?

Thinking like how I protect money on vacation. I separate it from my purse, leaving only a small amount for incidentals in the purse. This helps so I can get a coffee without digging though a secret stash of money but also allows a possible mugger to think they got all my money. If you have to have data on personal devices, would there be a way to replicate this as a security feature on stolen devices, so muggers get a small compilation of fake generated info (possible tracked to help lead the authorities to them) without allowing them access to any real data? What other way can you think of to protect both yourself and your data?
Mike Lanciloti
Mike Lanciloti,
User Rank: Apprentice
12/22/2014 | 4:53:45 PM
Alternative Solution to BYOD
Today's BYOD policies simply don't consider the type of data breaches highlighted in your article. Unfortunately, we will see continue to see an increase in these types of thefts as the value of health data rises. That's why I agree that PHI should not be accessible on mobile devices at anytime or anywhere. As an alternative to BYOD, healthcare organizations should consider purpose-built communication devices that improve communication and information access. These devices provide the portability and information sharing capability that smartphones can provide but stay within the confines of a hospital, reducing the risk of a costly data breach.
User Rank: Ninja
12/22/2014 | 12:23:38 PM
I'd like to just correct some points in this piece. Silk Road 1.0 had weapons for sale. Silk Road 2.0 however did not and only tried a spin off called the Armoury for a while, before shutting it due to lack of interest. 

Similarly none of these sites have ever openly sold child pornography and if it did exist on there, it wasn't well known about. The admins took a pretty hard line against anything that could not be considered (at least in their eyes) a victimless crime. 

Silk Road 2.0 did sell things like stolen credit cards and fake passports, but the majority of its focus was drugs. 
User Rank: Strategist
12/22/2014 | 12:11:11 PM
Interesting, but
it's just the description of a new problem, or of a new level to an existing problem.

If separation of data from device isn't the solution, if encryption isn't the solution, if strong passwords aren't the solution, what is?  What's a CISO to do about this?

Is it like being mugged for your bank PIN except there's no daily limit on your withdrawls (esp if you're a systems admin)?  Maybe, like being mugged for your bank PIN, there IS ultimately nothing that can be done to totally prevent it, and it will continue to be a real and active concern but a relatively rare occurrence?

I'd suspect more muggings are, and will continue to be, done for bank PINs, cash and jewellery than for health and other info.

David F. Carr
David F. Carr,
User Rank: Author
12/22/2014 | 8:27:23 AM
How long before this mugging people for their passwords phenomenon happens to someone you know?
10 Top Cloud Computing Startups
Cynthia Harvey, Freelance Journalist, InformationWeek,  8/3/2020
Adding Fuel to the MSP vs. In-house IT Debate
Andrew Froehlich, President & Lead Network Architect, West Gate Networks,  8/6/2020
How Enterprises Can Adopt Video Game Cloud Strategy
Joao-Pierre S. Ruth, Senior Writer,  7/28/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Enterprise Automation: Do More with Less
In this IT Trend Report, we highlight the benefits of automation and the various tools as enterprises navigate turbulent times, try to do more with less, keep their operations running, and stay on track with digital modernizations.
Flash Poll