top of page
Search

Phishing and Medical Records: Not a Great Combination

  • Charles Parker, II
  • Jun 1, 2018
  • 2 min read

Over the last few years, there have been many breaches involving hospitals, doctor’s offices, and other institutions securing medical records. These records are generally held in an electronic format, such as with electronic medical records (EMR) and electronic health records (EHR). These definitely have a value on the dark web. These clearly are not simply laying about for anyone to exfiltrate, but are secured at various levels and applications of information and cybersecurity. To not apply security would be negligent and in violation of several laws, including HIPAA. With these records secured, the attackers need to find alternative methods to compromise the systems.

One such incident occurred in 1Q2018. Unity Point Health was compromised between February 1st - 7th and the attackers, as an extension of the compromise, were able to access approximately 16K patient medical records. This was accomplished through a phishing attack being used as the attack vector.

The attackers were able to exfiltrate the patient’s names, date of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, dates of service, and insurance information. The attackers may have also had access to social security numbers and other patient financial information.

This provides for a training opportunity for the medical field on what can happen with a compromise from a simple, yet effective, phishing email.

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

 
 
 

Recent Posts

See All
Cybersecurity and Our Water

Water facilities by Charles Parker, II When we read about new compromises or watch the news stores of the “sophisticated attacks”, the...

 
 
 
Cybersecurity and Meetings

It’s not safe to go to meetings anymore! by Charles Parker, II Meetings on Teams or any other tool have become a requirement. Pre-COVID...

 
 
 
Cybersecurity and FDA Compliance

FDA Ramping Up Cybersecurity Compliance by Charles Parker, II On October 1, 2023 the FDA enacted the Cybersecurity Refuse to Accept (RTA)...

 
 
 

Commentaires


Featured Posts
Check back soon
Once posts are published, you’ll see them here.
Recent Posts
Archive
Search By Tags
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

© 2023 by Marketing Solutions. Proudly created with Wix.com

bottom of page