 All right. Well, hey everybody. Thanks for coming out last talk of the first day everyone have a good time at Defconn so far. Yeah, all right, cool So great. Thanks. Thanks for coming out. My name is Eric Smith And I am the assistant director for information security and networking at Bucknell University in Pennsylvania and with me today But not on stage is Dr. Shannon Dardan stand up. Say hi She is the assistant professor of information systems at Susquehanna University Just down the street from us in Pennsylvania. So we're going to talk to you today about medical identity theft So here's the agenda for our talk. We're going to give a little bit of background talk about what is medical identity theft and what's actually going on in the world of medical identity theft We're going to talk a little bit about HIPAA and how HIPAA is designed to stop what's going on even though it's not actually stopping what's going on And then we'll look at what we can do to fix it So let's get started and talk a little bit about the background So what is medical identity theft? What is an electronic medical record? Well, here's a typical example of something that your doctor is probably already using This is an electronic protective health information system, electronic medical record system And this is just a picture we found out at Wikipedia. It's pretty typical of what nurses and doctors and what not are using today And basically it stores all of your medical records in some easy to use way that non-technical people such as doctors and nurses and billing managers and what not at your hospital Can have full access to your medical record So things it contains are comments about your medical record itself, lab results, lab tests, that sort of thing Pretty much everything about you that the hospital or the doctor knows is being stored electronically in a system like this What's interesting is that these systems are also storing your billing information So it knows your home address, you know your phone number, your social security number, your health insurance information, it's all in here So how many people are using these? Unfortunately the latest statistics we could find for this were from 2006 but it gives you a good idea In 2006 29.2% of all physicians were using electronic medical record systems and 25.9% of all practices were using them So within the last two years it's certainly gone up, it's about 10% increase per year And the reason for this is obvious, it's a cost savings for the hospitals to do this They don't have to go pull paper records to find out what shots you need or what's wrong with you So it's financially beneficial for your healthcare provider to use an electronic medical record So what is medical identity theft? Well you've probably all figured out what medical identity theft is It's like financial identity theft except someone stealing your medical identity So somebody wants to go to the doctor and they don't have health insurance Or somebody wants to go and get a prescription for OxyCotin but they don't want it on their record Or somebody needs to go get treated because they can't lift 50 pounds And their job requirement as a laser printer technician says you have to be able to lift 50 pounds There's something that they want to be, that a person may want to have kept out of their medical record That may affect their ability to get or keep a job So these are some of the reasons that people might be doing medical identity theft And we'll talk a little bit more about that in a slide Alright so you're a victim of medical identity theft, someone's come along and stolen your medical identity Unfortunately a lot of people say well I don't care I have insurances it's not my money Well it turns out it really can affect you and it really can ruin your life And here are just a few examples of why this is a horribly bad thing You could receive the wrong medical treatment if somebody pulls up your medical record And there's an entry in there saying well you were seeing last week for problem X And it was somebody else, that could definitely affect the kind of treatment that you get You could find that when you actually need to use your own insurance that you've run out your co-pay for the year And you're no longer covered for your actual symptoms So someone else has used your insurance up and you have nothing left for yourself Like I mentioned with the laser printer, that's just one typical example But if there's items in your medical history that could affect your ability to get or keep your job The results of a drug test for example, obviously that's going to be a problem for you Same sort of thing could cause you to fail a physical If somebody looks in your medical record and says well you have poor eyesight And your job is to drive a forklift or something like that That might affect your ability to keep your job based on failing a physical exam And of course there's a financial aspect of it all You're going to get billed for co-pays You're going to get billed for anything that the insurance doesn't cover That someone who's stolen your medical identity has received So we've kind of already gone over this Why would somebody want to steal your medical identity? Well most of what's going on today, most of the actual medical identity theft cases Are as a mechanism to get the financial identity theft I mentioned earlier that the electronic health records contain not only your medical information But your financial information, your billing information So a lot of the medical identity theft cases now where people are stealing medical records That's being done simply to get credit cards and open credit in your name Based on the billing side of those records So again you know you can access to health care and health insurance You can access narcotics, you can go to doctor Convince them that you need some sort of prescription drug that is hard to get on the street Or you might be getting just to sell it, that sort of thing And again covering up health records and hiding things that you don't want to have In your permanent record that might follow you around What's really interesting is that the identity theft perpetrators are taking note to this And realize that health care facilities are really prime juicy targets for identity theft Not only medical identity theft but also financial medical theft Here's a quote from the health care information and management system society To address this, it basically says that the data stored in hospitals and health care facilities Contains more data in one record than any other source So instead of going after a bank or going after a school We go after your medical record because we're going to get all of your financial information All of your medical information And these records are stored in institutions that typically haven't been targeted for this sort of thing Banks know that people are coming after you Hospitals maybe not so much So is this real, is this actually happening or am I just making this up so I could talk at DEF CON Well, it is actually happening So here's some numbers These are from the identity theft resource council So in 2007 they estimate that these are the breaches that they know about So obviously there's a lot of breaches that happen that get covered up But these are the ones that have been published So 2007 there were 65, about 4 million records exposed And so far in 2008 there were 59 breaches and about 6 million records exposed Now these are not necessarily malicious attacks A lot of these are stolen backup tapes Letters sent to people with the wrong addresses on them, that sort of thing But there are some actual malicious attacks going on here as well Yeah, I do not know I have to check the file Well then I would probably say no, it doesn't contain that So, you know, do the math This number is based on up to August 4 So if the trend continues by the end of the year We're looking at about 8 million medical records lost Yes, we should Almost none A lot of this is things like backup tapes were stolen Printed records were stored in a storage facility And they forgot to renew the lease And it got sold at auction, that sort of thing Most of it is just sort of slopping us in the care of the healthcare provider Now, okay, so I think we're going to talk a little bit about where this is trending But so far a lot of this is just slopping us on the side of the healthcare provider We're going to talk to HIPAA to death, trust me So everyone's been to the doctor, they've given you one of these Everyone's gotten one of these, right? This is the warm and fuzzy, we care about your privacy document That they're required to give you And the doctor here, he looks really happy He's confident that they're taking good care of your medical records And we'll see that that may not actually be the case Question I can tell you based on my own empirical study Of one data point of me, I read mine So I would say 100% Okay, so here's HIPAA HIPAA is a Health Insurance Portability and Accountability Act of 96 Okay, it's 2008 So this is kind of old But this covers a wide range of issues related to the electronic processing Of medical records and billing information So since we only have an hour today, we're going to really zoom in And just focus on one tiny little subsection of this We're going to focus on the technical safeguards Under the security section, under the administrative simplification section Of Title II of HIPAA So if it's not clear that this thing did not come from our government then There we go, so like I said, we're going to focus on Just the technical safeguards and see where we're at Okay, so moving on in our agenda We're looking at Section II, HIPAA security requirements So this is the entire text of HIPAA That relates to the technical measures that must be taken by a healthcare provider To protect your medical identity It's about a half a page double spaced Okay, give this a comparison Anyone here, you know, work with PCI compliance Probably a lot of people, at 17 pages Yeah Does that include the cover sheet? Okay, so the question was does that include the cover sheet? So there is no cover sheet on the HIPAA section So okay, we'll say it's 16 pages Thank you But it's still considerably more detailed than what we would find in HIPAA So let's compare HIPAA to PCI while we're on the topic And what are the penalties for not being in compliance with the rules? We'll talk about the rules here in a minute, but I just wanted to frame this And compare HIPAA versus PCI So what are the differences between failing to comply with securing medical records To failing to comply with securing credit card information So under HIPAA, if an entity is blatantly out of compliance on a requirement They're fined $100 And if they don't fix it, they can be fined $100 over and over Up to a maximum of $25,000 a year Under PCI, PCI is not a government standard It's negotiated with the credit card companies themselves And the fines can vary based on your own merchant agreement with the credit card companies But the fines can be huge and can be assessed monthly Basically trying to force you to get into compliance It's $100 every time they catch you doing something Maximum of $25,000 a year if you keep doing that same thing Say for example, one of the requirements under HIPAA, and we'll get to this Is that everybody who accesses a medical record has a unique username and password Say there's a hospital somewhere that has a terminal that's logged in 24-7 And all the nurses use it, and somebody complains and they get cited Every time they complain, somebody complains they have to pay the $100 Up to a maximum of $25,000 a year So obviously in a lot of these cases, it's going to be cheaper to pay the fine than to fix it That's true, right? Can you speak up please? Well, when it defines a person, an entity can be a person There's actually a definition of a person in the HIPAA language, a government document So we have to define a person So here's a table, this is basically just the distillation of the half page technical requirements And we're going to run through this a little bit But what's interesting to note is that of all these technical requirements in HIPAA They're not even all required, there's requirements that are not required So we're going to look at these, and the Rs are required and the As are addressable And we're going to talk about what that means here in a second So let's just look at the required ones first Here are the required implementation specifics And you'll notice that half of them have no implementation detail It says you have to do this, but we're not going to tell you anything about it So one of them is unique user identification So basically, we looked at HIPAA, we talked about the half page document And then there was a series in the Federal Register that went into more detail Because people were saying, well, you know, you gave me a half a sentence, what does that mean? So they elaborated on a lot of these points in that document And that's where this information comes from So for example, for unique user identification, basically it says that An entity can use any appropriate access control mechanism that's allowed And they gave some ideas, basically what it comes down to is that If you're a hospital, you can come up with whatever you want for unique user identification You can have single digit user names, fine You can have that sort of thing as long as everyone has their own In the initial draft of HIPAA, it required things like key fobs and multi-factor authentication But people complained so they took it out There's a requirement for emergency access Basically what this means is we need to get into your medical record All the nurses are on vacation, what do we do? But it doesn't tell you anything about how you do this So it's completely up to the hospital And I keep saying hospital, it's any medical institution But I'm just going to use hospital, any medical institution to do this Just has to come up with some policy And that policy could be, okay, we wrote the root password of the server In Sharpie marker under the keyboard And that would be perfectly acceptable in HIPAA You just have to document that as your procedure And I don't suggest using Sharpie because if you change it, you have to cross it out You might want to use the post-it note Another requirement is the audit control So the initial draft was really looking to say, okay Who's accessing these medical records when and why? Completely got taken out And it's up to the entity to determine what sort of audit controls if any are required So there's no specifics about how long we have to keep logs What kind of logs we have to keep It just says you need to have some sort of audit controls Write down what they are, good to go And that's HIPAA compliant And then personal or entity authentication Personal or entity meaning an employee or a business partner, that sort of thing There must be some system in place to identify who they are And the initial draft of this had lots of language in about using multi-factor authentication Artificates, whatnot People complained so they didn't want to do that So they basically said, okay, well It actually says whatever is reasonable and appropriate is fine So you again come up with whatever you think And you're in So if you want to just assign username and passwords That's completely sufficient under HIPAA And that's what most people are doing Well actually most of what happened was They had the initial draft of HIPAA out He said where did most of the complaints come from And he just asked if they came from the AMA And actually, no, it was mostly just individual entities Doctors, hospitals, that sort of thing They opened it up for public review They collected, it was like 2,600 comments They distilled them down into a bunch of categories There are many similar questions And basically if enough people said We don't want to do X What they did was say, alright, you don't see that And they took it out So those were the required implementation specifics And you can see that the required ones have really have no teeth And it gets even better because there are more that aren't even required And these are the ones that you would think are really important Like encryption, totally not required So what does it mean to be addressable? It means you should probably do this But if you don't, that's okay Just write down why you can't do it So let's talk about encryption This is one of my favorites So in the Federal Register it asks There are a lot of questions in the initial review about encryption People were asking what sort of encryption strengths should we use Where should we use encryption? Why should we use encryption? So at the end of the day what it came down to They actually said that the use of encryption in the transmission process Is an addressable implementation specification Meaning you don't actually have to do it So covered entities, your hospital, your healthcare provider Are encouraged to consider the use of encryption For transmitting your EPHI over the internet So you don't have to encrypt your medical information When it's sent over the internet Plain text FTP, fine So long as they have an item written down somewhere that says We can't do this because our system doesn't support it Fine, HIPAA compliant No, there are absolutely no specifications Of what type, what level, what kind of encryption Needs to be used, it just says encryption And they actually went on to say that They didn't want to specify details Because certain entities may not be able to do SSL What if this entity wants to do ROT 13 You know, that's encryption, that's fine The question was what about doctors keeping their lab results On blackberries In essence in the current version of the law You could do whatever you want so long as you Write something up to justify what you're doing So if you said, well, blackberry is not a system We don't own the back end to it It's a third party, they've assured us that They're using encryption and the data is safe You're fine, so if something was to happen As long as they said they had a document like that in place They couldn't be cited for that Data integrity, this is another great one The initial version of the draft talked about data integrity This is really addressing things like Database journaling to make sure no one's coming in On the back end and mucking with your medical records Again, people complain, so what they turned it into was that If you use things like CRC 32 Or a checksum on your file system, that's good enough So it really took out any sort of malicious attack Vector and just turned it into random data corruption And it kind of took all the teeth out of it So as you can see, one of the big issues with HIPAA Is that it's really up to the healthcare provider To determine what it means to be HIPAA compliant They can come up with whatever they want And it's HIPAA compliant And so here's a quote from the healthcare information Management system society again They have lots of good information And basically says that it allows the healthcare provider The latitude to do whatever they want And say it's compliant, and that's good enough So there's HIPAA in a nutshell Just the technical specifications, there's lots, lots more But we only have an hour So just focusing on the technical specifications We were curious, what does it really mean in the real world? What does it mean to have a healthcare provider Be HIPAA compliant, have an actual There's companies out there that are coming in And doing audits to say, yes, you're HIPAA compliant So we had an agreement with a healthcare provider To come in and do a penetration test Right after they had a HIPAA compliance audit done So they got high marks, it was a really high class place Doing a really good job And so they contracted with us for a penetration test And so we went in and we decided to see what would happen So I think it was 23 minutes that it took us to Completely dump their database Something like that We were able to completely pull all the medical records HIPAA compliant, and everything that we did During this penetration test We never used a vector that was there Because of them being out of compliance Everything that they did was HIPAA compliant And yet we're still able to get in and dump everything out Yes The question was how do we do the penetration test I can't talk about that The question was, could you speak as to whether a hacker Could have gotten the information Well, I could have put it on my black hat that day And had been a hacker, so I got the information I'm sorry, I have no idea Any ideas, guys? He asked about HIPAA 2, I'm not familiar with HIPAA 2 Is it a draft? I'd have to look at it But it's not anything that's in place right now So we don't look at that So we decided to summarize what we found Into a couple of slides here to talk about Some really common attack vectors That are completely permitted by HIPAA Things that HIPAA says, you're good to go But are really common in a lot of medical institutions So I want to talk about that here today And I want to talk about a new kind of wireless attack And everyone here has heard, you know All these boring talks about various wireless attacks Sorry, I shouldn't say boring, they're very exciting But a different twist on a wireless attack And we'll talk about that here in a second So hospital networks, what's special about a hospital network? Well, hospitals are open to the public You can walk in off the street 24 hours a day The security staff at a hospital are used to Random people coming in off the street 24 hours a day People are coming in because they're sick People are coming in to visit, people are in the hospital What have you? So they're used to having random people Mulling about And recently, because most hospitals are putting in Wireless networks which have an SSID for the public use For patient use or for visitor use or what not It's pretty common these days to walk in And see somebody sitting in the ER waiting a room On their laptop, updating their MySpace profile Whatever So it's pretty easy to come into a hospital Sit down and blend in and see what you can find So physical attacks against wireless networks We're going to talk about now So we're going to look at a couple of different Standard wireless network implementations I'm guessing a lot of you are dealing with one Or both of these types of networks on a day to day basis So first we're going to talk about the old style Decentralized wireless network And I'm going to talk about Cisco stuff Because that's what I use But this applies to whoever else you might be using So in a decentralized wireless network The access points themselves are the devices That make the decisions about who gets on the network And what network they get on And what types of encryption are used And what kind of authentication is used So a wireless client comes along Here's a pretty typical example of what you'd find In a hospital There's an SSID for the doctors and the nurses To use with their laptops or PDAs That has access into the core Access into the juicy back end There's often a wireless voice network For VoIP phones And like I said earlier There's often a network for guests Because the access points themselves Are the ones making the decisions about Who gets on the network and how they get on They have to have access to those networks At the access point So how's this done Usually done with an 802.1Q trunk Right into the access point So you have a bunch of access points They're all trunked They're all out there So what happens if you have a facility Where your access points are sort of out in the public And you can just walk up to one of them Well, an attacker can tap into the uplink Of one of these access points Establish an 802.1Q trunk into the network itself Establish the correct VLAN interfaces on their machine Start launching attacks So now you have effectively, for example Say we're getting on VLAN 100 right here Where's my mouse Which is using ETLS And we've issued certificates of both ends Top shelf, wireless, encryption We totally bypassed it by just plugging into the uplink To an access point So now we're in We can attack the wireless clients We could attack the access points themselves We could attack the network infrastructure And we can of course go after the back end So how hard is this to do Realistically, you know You're thinking of your own networks now You're thinking of where your access points are hanging up You're thinking, okay I would notice that somebody did this I would notice that somebody plugged into one of my access points But we walked around a number of institutions And found pretty much this in every place You go down Take the elevator down to like lower level two Maintenance where they're washing the sheets Or something like that And there's some access points Just in some random hallway Nobody around, nobody watching you And you can plug right into it And do your thing So this totally works Okay, now talk about centralized networking And this centralized wireless network For example, LWAP How many people here Are using some sort of centralized network LWAP system? A lot? Hands? Nobody? One guy, okay, great In an LWAP centralized network Basically what happens is that the 802.1Q trunk Goes to a centralized controller In the back room somewhere In your machine room And then what happens is Each of the access points Is connected to the network Using a regular access VLAN So they boot up And what they do is They tunnel the traffic from the wireless clients Back to the wireless LAN controller So this sounds great This is much better You don't have to have trunks To the access points You can just have access VLANs You can ackel this off So the only thing that that network can get to Is a wireless LAN controller You have a lot more security options Available to you than you did before But you can still do All sorts of nasty things So what happens if we tap into this? Okay, we're going to tap in We're going to connect our machine To this uplinked port We're going to get on the network And in this scenario What we're going to do Is we're going to launch An ARPS move attack Against all the access points In this VLAN Typically when this is deployed You have a wireless access point VLAN You put a bunch of APs in it They're all available on that VLAN So we can redirect the traffic From the wireless access points Through our machine Dump it off the disk And play around with it later But I said earlier that it's tunneled So it's not terribly useful In its native form So this is what the data looks like If you open it up in Wireshark Wireshark correctly identifies it As wireless LWAP packets But you can't really do anything with it You can't run it through DSNF Or anything like that Because it's not native packets It's LWAP packets With the data encapsulated in the end So that's boring So here's the complete text Of a Perl script I wrote Take that file And turn it into a regular PCAP file So you can grab the LWAP packets On the back end Run through this script Get your regular PCAP on the other side And now you actually have a PCAP Of anything that the wireless clients were doing So if you want to copy this script You can download a PowerPoint And copy and paste right there So I'm going to show you how this works With a voice over IP demo And hopefully this works So I just have a few PCAPs here That we're going to look at So this is going to look a lot like The screenshot that you saw earlier Wireshark being very cool It knows what all these are It sees them as IEEE packets But again, you can't really do anything with them You can't do any sort of forensics On these directly You can't use any other PCAP tools on them It's kind of anti-climatic So what happens when we run it through The decoder script I apologize for saying decryption Because it's not encrypted It's just encapsulated So we run it through the script Turns it into regular old PCAP files So now we have direct packet dumps Of whatever the wireless client was doing In this case, it was a wireless IP phone That we grabbed the data from Scroll down here to the bottom We'll see And there are other clients associated on here At the same time You see some random broadcasts and whatnot Wireshark being very cool It knows all about RTP So we can ask it to analyze that for us If anybody was at our Shmucon presentation Last year, you've already seen this When we were talking about attacking Vonage adapters So apologies if this is the second time For some of you seeing this So like I said, Wireshark is very cool You can pull these audio streams out And we can save the payload out And hopefully this works Hospital operator How may I direct your call? Okay, so just an example of Your ability to completely intercept Any data that's going on On the wireless side That you've now been able to bypass If it's wireless phone, it's probably LEAP You've been able to bypass LEAP Just by tapping into the AP Question, you can't do GRE tunnels From an LWAP access point But if you're doing WISOM And you're booting up your APs In native LWAP You don't have that option It's LWAP That's what you get Yeah, so to do what you're saying You basically have to put another device Between the AP and the network And then on the back end Do the same thing again So that's typically done If you have a remote office And you want to put up an access point You'd have a point-to-point VPN solution in place So you couldn't capture these Off the internet in that scenario Okay, so I'm going to try to do this live And this is just sort of asking for trouble We're going to give it a shot Because I need to do some stuff on wireless And you guys are probably going to de-authenticate me But we're going to try it So here's what we're going to try I have a test rig set up here On the bench top That gives me a tunnel from The con network back to the wireless LAN controller That I've set up in my office Back in Pennsylvania And there's an AP set up here That AP is booted doing LWAP The whole way back through the tunnel To the wireless LAN controller Back in my office at Bucknell And basically what we're going to do Is do an automated artist-proof attack Against this AP Try to collect the packets And then while that's running We're going to go log into an ERP system Do some sort of medical query Something similar to what might happen In a hospital And see what happens So nobody de-authenticate me please So here's like I already showed you a part of the rig What we're going to do We have the Cisco AP on the left That's connected to a WRT54G Running open work and open VPN Creates a tunnel And then we have the attack software Running on this second WRT54G And again if you were at our Shmoopcon talk We talked about the SIPinator Same software Just we gave it a different MAC address Prefixed to attack But otherwise it's pretty much the same As what we did before So we're going to try this And let's hope it works Okay so this is a serial console Into the WRT54G That'll do the automated artist-proof So we're just going to start this up And hope it finds it Now I've got a DHCP lease From the tunnel access point And it's looking in the address space To see if it can find any LWAP access points And we found one So it's targeting it It's now artist-moving it Dumping the data to local flash And then it updates, dumps that file To a remote host in the background So now you're all going to see My totally not-leet AS-400 skills And this could be any sort of Back-end system that's being used And we're going to go run a SQL query here And of course this would In a real world you would have Some sort of nice front-end You're not generally having Nurses running SQL queries, but At least in the hospitals that I've been in Okay, so we're going to do A very efficient SQL statement here To select the records that we want And not create any undue stress On our database system So we're going to dump every record Okay, so this is just some fake data Of course, so I'm not actually Revealing any real data But this is really typical Of what would be going on In a wireless network in a hospital And querying back-end Pulling up somebody's medical records And what not, so Let's see if this worked So this is a Linux box I have back home That's the files being uploaded to Okay, so And yes, I am using Zmodem I'm going to pull that down To my local machine And again, this is going to look A lot like what we've seen already Just, you know, it's this LWAP Encapsulated pack It's not very exciting I sure hope my session's in there Okay, so we're going to Strip this stuff out Okay, so we got 657 packets decoded So that's a good sign I'm going to send that on The decoded version down here So we can take a look at what's in there Okay, that looks a lot more like regular Apparently my machine was doing something there I was doing this Okay, so there's the TCP stream Anybody know why I can't read that Any 400 people in the room? What's that? Episodic, all right If I had a prize I'd give it to you So the bit order is all wrong, of course So we just switched it around But there you go So good example of, you know Data being leaked out from a completely HIPAA compliant facility And that would work pretty much everywhere If you can get physical access To one of the APs Okay, yeah Okay, the question was When he's worked with some LWAP access points There's been some issues with Digital certificates That's true when you work with LWAP APs There is a digital certificate in place That's used to encrypt just the headers Of the packets, but the payloads are not encrypted So the control structure in LWAP is encrypted But the payload is not All right, so going back to some non-demo More PowerPoint-ish stuff here So people are starting to notice That there's a problem with HIPAA There's a problem with medical identity Information leaking and getting out So here's some information From a Harris survey Approximately nine million Americans Believe that they or a family member Have had medical information lost or stolen And 69% of those same people polled Have heard of a specific incident Involving medical record leaking Or being stolen The graph here shows the HIPAA complaints That come into Health and Human Services For 2008, and you can see That's definitely trending up So we talked earlier about the 59 breaches I want to talk a little bit about some of the specifics So this map shows where those 59 breaches occurred And you can see this is not specifically A big city problem This was happening all over the country And big cities, small towns Wherever medical information is being stored That's what makes it a little more unique Than like PCI is that PCI, you generally find that People who are processing credit card numbers Are more concentrated in certain areas But turns out people everywhere need to go to the doctor So this is going to happen Violations The question was, is there any way to look up Violations about a particular practitioner I haven't found anything, but I don't know You would think it would be public information But I haven't seen anything on it That would be nice So I want to look at a couple of these And take a look and see what's actually Been going on with these breaches This is a pretty good one In April at the UCL Medical Center An employee was fired And then later charged For snooping through the medical records Of a number of celebrities Including Britney Spears, Farrah Fawcett And Maria Shriver There were 33 celebrities involved They only ever released those three names And basically she was accused Of selling that to a national media outlet They never said who it was But coincidentally the next day There was an item in the National Enquirer About Farrah Fawcett's cancer coming back So you can piece that together for yourself What's interesting about this case Is that she was actually charged under HIPAA For accessing medical records With the intent to sell them for you know Evil doing, and that carries a pretty heavy Penalty, it's up to 10 years in prison And $250,000 in fines But what's interesting is that the hospital Who allowed this low level like front desk Employee complete access to their database Faced no penalties whatsoever Question The question was have I seen anything Where HIPAA compliance shields someone From litigation I haven't seen that yet but I bet That would work Because this is all they're required to do Under the law so they can't really be held Unless it's like they're grossly negligent Or something like that but if they're Compliant that's all the law says they have to be So I'm going to hold these questions to the end Because we're kind of running out of time Okay Here's another case, this is kind of interesting Some poor cis admin whose job involved Taking the backup tapes home And had the tapes stolen out of his Minivan parked in his driveway And it was a full backup of the ERP system And it contained all the medical records About on 365,000 patients So that was a big deal But the theory is that whoever Stole it was just looking to steal His laptop for drug money And there were no incidents of this information Being used inappropriately So most likely it wasn't leaked It wasn't used for identity theft Financial or medical However, this is the first case where Health and human services actually find A hospital, find a health care system And it wasn't actually a fine, they called it An agreement and they got Their agreement was to pay $100,000 And to change their policies And procedures to prevent this from happening again Health care system of course said Accepted no wrongdoing for this And said well it was an unfortunate Accident And this one is one of my favorites This is real medical identity theft This woman was Arrested for receiving nearly $180,000 worth of medical care And prescription drugs by Impersonating someone else By using her Medicare insurance cards And what not It was a low-level, low-tech attack She was living with this woman at the homeless shelter And just stole her medical information Out of her wallet or whatever it was But what interested me in this Was the amount of money this one person Was able to get from one record So if you're thinking of organized crime Looking for new sources of revenue If one inept person can get $180,000 worth of oxy-cotton Out of one medical ID Then I think this is something that we're really Already worried about And there's a great quote here too That she became skillful at presenting Doctors with symptoms that would lead it That would result in prescriptions for narcotics So she knew how to go in and Make them give her prescriptions Alright, so we're Rapidly running out of time here So now what can we do to make this Better? So I think We've pretty well established that the current rules under HIPAA Are insufficient. The breaches Are still too easy, even in a HIPAA compliant environment We've already talked about that The emphasis that the health care Providers are putting is on Compliance, not on security They're doing this because they have to Not because they want to Okay So obviously there's too many addressable Imimitation specifics. The health care providers Can come up with whatever they want In order to meet The requirements and They can just decide not to meet The ones that aren't even required So there's a lot of play there And they can do pretty much whatever they want When it comes to these things Way too much emphasis on the phrase Of reasonable and appropriate Again giving the end user The entity, health care provider Community The job of figuring out what it means For them to be compliant And of course there are not enough details In the implementation specifics So even if encryption was required Which is not, we don't even tell you What kind of encryption to use To read through some of the federal register stuff There's a lot of talking there about Why they didn't want to do that That they need to be technology neutral They don't want to specify any particular implementations They won't even go as far to say Yes or something like that So there's absolutely nothing in there So what's happening What's happening is really interesting We're kind of coming full circle HIPAA came in to address the fact that There was no central clearing house Of okay this is what it means to be secure So HIPAA comes in place says we're going to be These are the new rules We're all HIPAA compliant But a lot of states are realizing That that's not enough now they're coming up with their own laws So we're kind of back to where we started You have a different set of requirements Than if you're in another state So this is just in 2007 There were over 250 health information Technology bills introduced 74 of them passed So it's going to get even more scattered Than things are now Trade groups are lobbying For increased legislation Obviously they probably just want to sell more hardware But they're still lobbying for it Alright so That's my talk We probably have like one minute now And then we'll be somewhere I don't know where we're going to be for the Q&A But we'll take some questions Oh yeah tons of them Yeah a lot of breaches happen at the third party Definitely smaller entities or even larger entities Are outsourcing their processing And then the guy who loses the tapes Happens to work for the third party Instead of for the hospital Yeah if you look through the slides If you want to look at the references on the page And you actually get the full details Of all the breaches that we talked about today One Just that Providence was the only one that I know about Yeah If you look through the details A lot of them will, the details of the complaints Most of the resolutions say We talked to the provider and they're going to change Their practice and they're not being fined Not until we told them No The gentleman standing up I hadn't thought of checking Google Yes sir Okay we're getting booted out So we're going to go over to room 106 Anybody who wants to Ask us further questions Tell us they don't like our presentation We'll be over room 106