Medical Identity Theft

Presented at DEF CON 16 (2008), Aug. 8, 2008, 6 p.m. (50 minutes)

In less than an hour, during a scheduled pentest, our team was able to retrieve 3.2 million patient insurance records from a HIPAA-compliant medical facility. Using these records, we could have generated counterfeit insurance and prescription cards which would pass muster at any doctor's office or pharmacy counter. If you are one of the 47 million Americans with no health insurance or happen to have a medical condition you wished to hide from employers or insurers, would you consider purchasing falsified medical documents? Thousands of Americans have already said yes, without thinking twice about the victim of their victimless crime. What happens to you if your medical identity is stolen? You may find yourself liable for thousands of dollars of co-pays, deductibles, and denied claims. Is this because you forgot to shred an important document? Did you fall for a phishing scheme online? Of course not -- it was entirely outside of your control, and it happened because the current HIPAA regulations are insufficient to protect your medical identity. In this talk, we'll review the current state of HIPAA and other laws covering the security of your medical records, and discuss what changes need to be made, both in policy in practice, to shore up the security of our medical records.

Presenters:

• Eric Smith - Assistant Director of Information Security and Networking, Bucknell University
  Eric Smith is Assistant Director of Information Security and Networking at Bucknell University, located in Lewisburg, Pennsylvania. He has over 15 years of field experience in information security, networking, and systems administration. He has provided consultation services in places such as Research Triangle Park and New York City. Eric is a founding member of PreSet Kill Limit, the security research group which has won the Defcon Wardriving Contest the past several years.
• Dr. Shana Dardan - Assistant Professor of Information Systems, Susquehanna University
  Shana Dardan holds a PhD from the University of North Carolina at Charlotte in Information Technology. Currently, she is conducting research in the area of IT Investment Valuations and Digital Healthcare for hospitals nationwide. Shana has been an invited member of the WiSac and Pennsylvania Broadband task forces. Previous corporate research includes notable companies such as Intel Corp, where she conducted research for Doug Busch, VP and CIO on IT investment analysis. She speaks at industry events on investment strategies, IT security, and outsourcing and has contributed to numerous books. Shana joined Susquehanna University in 2006, where she teaches Systems Analysis and Design as well as IT Strategy.

Links:

• https://defcon.org/html/defcon-16/dc-16-speakers.html#Smith
• https://infocon.org/cons/DEF CON/DEF CON 16/DEF CON 16 video/DEF CON 16 - Smith and Dardan - Medical Identity Theft - Video.mp4
• https://www.youtube.com/watch?v=wr5TO1QP5Oc

Similar Presentations:

• DerbyCon 8.0 Evolution (2018) / Abusing IoT Medical Devices For Your Precious Health Records
• May Contain Hackers (MCH2022) / Respirators, Runtime Errors, Regulations – A Journey into Medical Software Realization
• Black Hat Europe 2017 / Breaking Bad: Stealing Patient Data Through Medical Devices