Akamai Diversity

The Akamai Blog

The Rising Risk of Electronic Medical Records

By Bill Brenner, Akamai SIRT Senior Tech Writer

Akamai's Security Intelligence Research Team (SIRT) released a new whitepaper this morning about the rising risks medical organizations face as they become increasingly dependent on digitized record keeping.

The use of Electronic Medical Records (EMRs) and a more digitally integrated medical records system is no longer science fiction, and the task of securing sensitive medical data is a daunting challenge. The threat landscape continues to shift rapidly, and business responses need to keep up.

The whitepaper, written by Security Response Engineer Benjamin Brown, examines the risks, and outlines steps organizations can take to keep attackers at bay.

Examples of Fraud

One money-making scheme involves setting up shop as or working with a clinic or medical practitioner to commit Medicare fraud. This is done by shadow billing, charging for procedures or services that never occurred, or by upcoding, using billing codes that specify the need for expensive procedures.

Medical insurance fraud can also come from the patient side in the form of a criminal posing as another individual to fraudulently receive medical services or prescriptions. Another vector for financial grift takes the form of tax fraud. Using the information found in an individual's medical records, it is rather straightforward for a criminal to both gain more sensitive information and to steal that person's tax refund outright.

The data found in EMRs also gives criminals the ammunition to perpetrate more elaborate financial identity theft. With this data they can receive loans, credit cards, and bank accounts under an assumed identity, leaving the victim holding the bag on a tanking credit score and a mob of collection agencies.

The fraudulently created accounts used by these criminals can also open the victim up to criminal proceedings when said accounts are used in the commission of crimes such as wire fraud.

Bank accounts opened by criminals can be used as a dump site or 'drop' for funds stolen or laundered by other means. For example, a criminal can set up a merchant account with Paypal, Skrill, Square, or any number of other transaction processors to make charges against stolen credit cards. The money from these transactions can be shunted to the 'bank drop' then retrieved via ATM, a money order, or transferred to yet another bank account.

These actions can be performed by the criminal directly or proxied through a set of money mules, individuals recruited to shift the money between accounts they control for a slice of the ill-gotten gains. Such practices are so common among cashout schemes that there is an active underground market for said 'bank drops' and third-party payment processors.

The full white paper includes defensive measures organizations can take, and can be downloaded at http://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-rising-risk-electronic-medial-records-fraud.html.