Analytical review of cybersecurity threats for medical information systems relevant from 2007 to 2017.

- How common are medical information systems in Russia?

- Can you elaborate on the unified public health information system (EGSIZ)?

- Can you elaborate on the technical features of domestic medical information systems?

- What is the situation with the cyber security of the domestic EMIAS system?

- What is the situation with the cybersecurity of medical information systems - in numbers?

- Can computer viruses infect medical equipment?

- How dangerous are extortion viruses for the medical sector?

“If cyber incidents are so dangerous, why should medical device manufacturers computerize their devices?”

- Why did cybercriminals switch from the financial sector and retail stores to medical centers?

- Why did cases of infection with extortion viruses become more frequent in the medical sector and continue to increase?

- Doctors, nurses and patients affected by WannaCry - how did this turn out for them?

- How can cybercriminals harm a plastic surgery clinic?

- The cybercriminal stole a medical card - how does it threaten its rightful owner?

- Why is the theft of medical cards so in-demand?

- How are the thefts of social security numbers related to the falsification industry?

- Today, a lot of talk about the prospects and security of artificial intelligence systems. How is this in the medical sector?

- Did the medical sector learn from the situation with WannaCry?

- How can medical centers ensure cybersecurity?

How common are medical information systems in Russia?

• In 2006, Siberia Informatics (an IT company specializing in the development of medical information systems) reported [38]: “MIT Technology Review periodically publishes a traditional list of ten promising information and communication technologies that in the near future will have the greatest impact on the human society. In 2006, 6 out of 10 positions in this list were occupied by technologies that are somehow related to medicine. The year 2007 was declared in Russia “the year of informatization of public health”. From 2007 to 2017, the dynamics of the dependence of health care on information and communication technologies is constantly increasing. ”
• On September 10, 2012, the Open Systems Information and Analytical Center reported [41] that in 2012, 350 polyclinics in Moscow were connected to the EMIAS (unified medical information and analytical system). A little later, on October 24, 2012, the same source reported [42] that at the moment 3.8 thousand doctors have automated workplaces, and 1.8 million citizens have already tested the EMIAS service. On May 12, 2015, the same source [40] reported that EMIAS operates in all 660 public polyclinics in Moscow, and contains data for more than 7 million patients.
• On June 25, 2016, Profil Magazine published [43] an expert opinion from the PwC International Analytical Center: “Moscow is the only metropolis where the unified management system of urban polyclinics is fully implemented, while such a solution is in other cities of the world, including New York and London, is only under discussion. " Profil also reported that as of July 25, 2016, 75% of Muscovites (about 9 million people) were registered with EMIAS, with more than 20 thousand doctors working in the system; since the launch of the system, more than 240 million records have been posted to doctors; More than 500 thousand different operations are performed daily in the system. On February 10, 2017, Echo of Moscow reported [39] that at the moment in Moscow, more than 97% of medical receptions are held by prior appointment via EMIAS.
• On July 19, 2016, Veronika Skvortsova, Minister of Health of the Russian Federation, stated [11] that by the end of 2018, 95% of the country's medical centers will be connected to the unified public health information system (EGISZ) through the introduction of a single electronic medical card. The relevant law, which obliges the Russian regions to connect to the system, has passed public discussion, has been agreed with all interested federal bodies and will go to the government in the near future. Veronika Skvortsova reported that in 83 regions an electronic appointment was arranged for an appointment with a doctor; 66 subjects implemented a unified regional ambulance dispatching system; Medical information systems operate in 81 regions of the country, to which 57% of physicians have connected workstations. [eleven]

Can you learn more about the unified public health information system (EGSIZ)?

• EGSIZ is the root of all domestic IIAs (medical information systems). It consists of regional fragments - RISOZ (regional health information management system). EMIAS, which has already been mentioned above, is one of the copies of RISOZ (the most famous and most promising). [51] As explained by the [56] editorial board of the Director of Information Services magazine, EGSIZ is a cloud-based IT infrastructure, the creation of regional segments of which are carried out by the research centers of Kaliningrad, Kostroma, Novosibirsk, Orla, Saratov, Tomsk and other Russian cities Federation.
• The task of UGSIZ is to eradicate the “patchwork informatization” of healthcare; by joining the MIS of various departments, each of which, prior to the implementation of EGSIP, used its own custom-made software, without any unified centralized standards. [54] Starting from 2008, 26 industry-specific IT standards have been the basis of the unified health information space of the Russian Federation [50]. 20 of them are international.
• The work of medical centers largely depends on the IIA, such as OpenEMR or EMIAS. MIS provides storage of patient information: diagnostic results, data on prescribed drugs, a history of the disease, etc. The most common components of an IIA (as of March 30, 2017): EHR (Electronic Health Records) is a system for maintaining electronic medical records that stores patient data in a structured form and keeps a record of his medical history. NAS (Network Attached Storage) - network storage. DICOM (Digital Imaging and Communications in Medicine) is a standard for digital imaging and sharing in medicine. PACS (Picture Archiving and Communication System) is an image storage and sharing system that operates in accordance with the DICOM standard. Creates, stores and visualizes medical images and documents of the examined patients. The most common of the DICOM systems. [3] All these IIAs are vulnerable to comprehensively designed cyber attacks, the details of which are publicly available.
• In 2015, Zhilyaev, PS, Goryunova, T.I. and Volodin KI, technical experts of the Penza State Technological University, told [57] in their article on cybersecurity in the medical sector that EMIAS includes: 1) CPMM (integrated medical electronic card); 2) citywide patient register; 3) patient flow management system; 4) an integrated medical information system; 5) a consolidated management accounting system; 6) the system of personalized registration of medical care; 7) Medical register management system. As for the CPMM, according to the report [39] of Radio Ekho Moskvy (February 10, 2017), this subsystem is based on the best practices of the OpenEHR standard, which is the most advanced technology that technologically advanced countries are gradually moving to.
• The editors of Computerworld Russia also explained [41] that in addition to integrating all these services among themselves and with medical facilities IIAs, EMIAS is also integrated with the EGIS-Zdrav federal software (EGIS — the unified state information system) governments, including public services portals. A little later, on July 25, 2016, the editors of the Profil journal clarified [43] that EMIAS currently combines several services: a situational center, an electronic registry, an EHR, an electronic prescription, disability sheets, a laboratory service and personalized accounting.
• On April 7, 2016, the editorial staff of the Director of Information Services magazine [59] reported that EMIAS had arrived at pharmacies. In all Moscow pharmacies selling drugs on preferential prescriptions, an “automated drug management system for the population” has been launched - M-Pharmacy.
• On January 19, 2017, the same source [58] reported that in 2015, the introduction of the Unified Radiological Information Service (ERIS), integrated with EMIAS, began in Moscow. For the doctors issuing directions to the patients for diagnostics, flow charts for X-ray studies, ultrasound, CT and MRI, which are integrated with EMIAS, have been developed. As the project expands, it is planned to connect hospitals with their numerous equipment to the service. Many hospitals have their own IIAs, with them to be integrated. The editorial staff of the Profile also states that seeing the positive metropolitan experience, the regions also become infected with an interest in implementing EMIAS.

Can you elaborate on the technical features of domestic medical information systems?

• The information for this paragraph is taken from an analytical review [49] of Siberian Informatics. About 70% of medical information systems are built on relational databases. In 1999, 47% of medical information systems used local (desktop) databases, and in most cases these were dBase tables. This approach is characteristic of the initial period of development of software for medicine and the creation of highly specialized products.
• Every year the number of domestic systems based on desktop databases decreases. In 2003, this figure was already only 4%. Today, almost none of the developers use the dBase table. Some software products use their own database format; Often they are used in electronic pharmacological reference books. Currently, there is a medical information system in the domestic market, built even on its own client-server architecture database: e-Hospital. It is difficult to imagine objective reasons for such decisions.
• When developing domestic medical information systems, the following DBMSs are mainly used: Microsoft SQL Server (52.18%), Cache (17.4%), Oracle (13%), Borland Interbase Server (13%), Lotus Notes / Domino (13%). For comparison: if you analyze all the medical software using the client-server architecture, the share of Microsoft SQL Server DBMS will be 64%. Many developers (17.4%) allow using several DBMS, most often it is a combination of Microsoft SQL Server and Oracle. Two systems (IS Kondopoga [44] and Paracelsus-A [45]) use several DBMS simultaneously. All used DBMS are divided into two fundamentally different types: relational and post-relational (object-oriented). Today, 70% of domestic medical information systems are built on relational databases, and 30% on post-relational ones.
• The development of medical information systems uses a variety of programming tools. For example, DOCA + [47] is written in PHP and JavaScript. E-Hospital [48] was developed in the Microsoft Visual C ++ environment. Amulet - in the Microsoft Visual .NET environment. " “InfoMed” [46], running under Windows (98 / Me / NT / 2000 / XP), has a two-tier client-server architecture; the client part is implemented in the Delphi programming language; the server part is managed by the Oracle DBMS.
• Approximately 40% of developers use built-in tools. 42% use their own developments as a report editor; 23% - tools embedded in the database. 50% of developers use Visual Source Safe to automate the design and testing of software code. As a software for creating documentation, 85% of developers use Microsoft products - a word processor Word or, for example, the creators of e-Hospital, the Microsoft Help Workshop.
• In 2015, Ageenko T.Yu. and A. Andrianov, technical experts of the Moscow Institute of Technology, published an article [55], where they described in detail the technical details of the hospital automated information system (GAIS), including the typical network infrastructure of a medical institution and the pressing problems of ensuring its cybersecurity. The GAIS is a secure network through which EMIAS operates, the most promising of the Russian IIAs.
• Siberia Informatics asserts [53] that the two most authoritative research centers involved in the development of an IIA are the Institute of Software Systems of the Russian Academy of Sciences (located in the ancient Russian city of Pereslavl-Zalessky) and the non-profit organization “Foundation for the Development and Provision of Specialized Medical Aid 168 "(located in Akademgorodok of the city of Novosibirsk). The very "Informatics of Siberia", which can also be included in this list - is located in the city of Omsk.

What is the situation with the cyber security of the domestic EMIAS system?

• On February 10, 2017, Vladimir Makarov, curator of the EMIAS project, in his interview for Ekho Moskvy radio, shared the idea [39] that there is no absolute cybersecurity: “There is always the risk of data leakage. It is necessary to get used to the fact that the result of the use of any modern technology is that everything about you can become known. Electronic mailboxes are being opened even by top state officials. ” In this regard, we can mention the recent incident, which resulted in compromised e-mail about 90 members of parliament of Great Britain.
• On May 12, 2015, the Moscow Department of Information Technology [40] described four key points of the ISIC (integrated information security system) for EMIAS: 1) physical protection - data is stored on modern servers located in underground rooms, access to which is strictly regulated; 2) software protection - data is transmitted in encrypted form via secure communication channels; in addition, only one patient can receive information at a time; 3) authorized access to data - the doctor is identified by a personalized smart card; for the patient, two-factor identification under the OMS policy and date of birth is provided.
• 4) Medical and personal data are stored separately, in two different bases, which additionally ensures their safety; EMIAS servers accumulate medical information in an impersonal form: visits to the doctor, appointments, disability sheets, referrals, prescriptions and other details; and personal data — the MHI policy number, last name, first name, patronymic, gender, and date of birth — are contained in the bases of the Moscow City Mandatory Medical Insurance Fund; The data from these two databases are visually connected only on the doctor’s monitor, after its identification.
• However, despite the seemingly inaccessibility of such EMIAS protection, modern cyber-attack technologies, the details of which are publicly available, make it possible to break even such protection. See, for example, a description of the attack on the new Microsoft Edge browser - in the absence of program errors and the active state of all available defenses. [62] In addition, the absence of errors in the program code is in itself a utopia. Read more about this in the presentation “Dirty secrets of cyber defenses.” [63]
• On June 27, 2017, the Invitro Clinic, due to large-scale cyber attacks, suspended the collection of biomaterial and the issuance of test results in Russia, Belarus and Kazakhstan. [64]
• On May 12, 2017, Kaspesky Lab recorded [60] 45 thousand successful cyber-attacks of the extortion virus WannaCry in 74 countries of the world; most of these attacks took place in Russia. Three days later (May 15, 2017), the antivirus company Avast recorded [61] already 200 thousand Kieber attacks of the extortion virus WannaCry and reported that more than half of these attacks occurred in Russia. The BBC News Agency reported (May 13, 2017) that in Russia the victims of the virus, among others, were the Ministry of Health, the Ministry of Internal Affairs, the Central Bank and the Investigative Committee. [61]
• However, the press centers of these and other Russian departments unanimously claim that the cyber attacks of the WannaCry virus, although they did take place, were not successful. Most of the Russian-language publications about the deplorable incidents with WannaCry, mentioning this or that Russian department, - hurriedly add something like: "But according to official data, the damage was not caused." On the other hand, the Western press is confident that the consequences of the cyber attack of the WannaCry virus are more tangible than it is presented in the Russian-language press. The Western press is so sure of this that it has even removed from Russia suspicions of involvement in this cyber attack. To trust more - Western or domestic media - a personal matter. It should be borne in mind that both sides have their own motives for exaggerating and diminishing reliable facts.

What is the situation with the cybersecurity of medical information systems - in numbers?

• On June 1, 2017, Rebecca Weintrab (head doctor of Brigham and Women's Hospital with a doctoral degree) and Joram Borenstein (cybersecurity engineer) in their joint article published on the pages of the Harvard Business Review stated [18] that the digital era has greatly simplified the collection of medical data and exchange of medical cards between different medical centers: today, medical records of patients have become mobile and portable. However, medical centers have to pay for such cyber security with serious cybersecurity risks.
• On March 3, 2017, the SmartBrief news agency reported [24] that in the first two months of 2017, about 250 cyber security incidents occurred, which resulted in more than a million confidential records being stolen. 50% of these incidents were in small and medium businesses (not including the health sector). About 30% accounted for the health sector. A little later, on March 16, the same agency reported [22] that the leader of the cybersecurity incidents at the time of the current 2017 is the medical sector.
• On January 17, 2013, Michael Greg, the head of the Thoughtful Solutions consulting firm specializing in cyber security, [21] reported that in 2012, 94% of medical centers were victims of confidential information leaks. This is 65% more than in 2010-2011. Worse, 45% of medical centers reported that over time the scale of confidential information leaks is becoming more serious; and admitted that they had more than five such serious leaks in the period 2012-2013. And that such leaks can be prevented, or at least you can learn that they had a place to be - less than half of medical centers are sure.
• Michael Greg also reported [21] that in the period 2010-2012, in just three years, more than 20 million patients became victims of theft of EHR, which contain sensitive confidential information: diagnoses, medical procedures, payment information, details of insurance coverage, social number insurance and more. A cybercriminal who has stolen an EHR can use the information gathered from it in a wide variety of ways (see the paragraph “How are the thefts of social security numbers related to the criminal document fraud industry?”). However, despite all this, EHR protection in medical centers is often far less than personal e-mail protection.
• On September 2, 2014, MIT Orkut, a technical expert at MIT, stated [10] that incidents of virus extortionists become more frequent each year. In 2014, there were 600% more incidents than in 2013. In addition to this, the US FBI reported [26] that in 2016 there were more than 4,000 cases of digital extortion every day — four times more than in 2015. At the same time, it is not only the trend of rising incidents of infection with extortion viruses that is alarming; the gradual growth of targeted attacks is also alarming. The most frequent targets of such attacks are financial institutions, retail and medical centers.
• On May 19, 2017, the BBC News Agency published [23] a Verizon report for 2017, according to which 72% of incidents with ransomware viruses occur in the medical sector. Moreover, over the past 12 months, the number of such incidents has increased by 50%.
• On June 1, 2017, the Harvard Busines Review [18] published a report provided by the US Department of Health and Human Services, which reported that in 2015 more than 113 million EHRs were stolen. In 2016 - more than 16 million. At the same time, despite the fact that, compared with 2016, there is a sharp decline in the number of incidents, the general trend still has a growing trend. In early 2017, the analytical center Expirian [27] stated that healthcare today is the most sought-after goal of cybercriminals.
• The leakage of patient data in medical systems is gradually moving [37] into the category of the most pressing health problems. Thus, according to InfoWatch, over the past two years (2005-2006), every other medical organization has leaked patient information. At the same time, 60% of data leaks do not occur through communication channels, but through specific people who take confidential information outside the organization. Only 40% of information leaks occur for technical reasons. The weakest link [36] in the cybersecurity of medical information systems is people. Huge funds can be spent on building protection systems, and a low-paid employee will sell information for a thousandth of this value.

Can computer viruses infect medical equipment?

• On October 17, 2012, David Talbot, a technical expert at MIT, said [1] that medical equipment used inside medical centers is becoming increasingly computerized, more and more intelligent and more flexible for reprogramming; and also increasingly has the function of supporting work with the network. As a result, medical equipment is becoming increasingly sensitive for cyber attacks and for virus infection. The problem is exacerbated by the fact that manufacturers usually do not allow their equipment to be modified, even to ensure its cybersecurity.
• For example, in 2009, the Conficker network worm leaked to the Beth Israel Medical Center and infected part of the medical equipment, including an obstetric workstation (from Philips) and an X-ray workstation (from General Electric). In order to prevent the occurrence of similar incidents in the future, John Halmak, the IT director of this medical center - and part-time professor at the Harvard School of Medicine with a doctoral degree - decided to disable the network support function on this equipment. However, he was faced with the fact that the equipment "cannot be updated due to regulatory restrictions." It took significant effort to coordinate with manufacturers to disable network capabilities. However, disconnecting from the network is not an ideal solution. Especially in the context of growing integration and interdependence of medical equipment. [one]
• This is with regard to "smart" equipment that is used inside medical centers. But there are also wearable medical devices, which include insulin pumps and implanted pacemakers. They are increasingly subject to cyber attacks and computer viruses. [1] As a remark, it can also be noted that on May 12, 2017 (on the day of the triumph of the extortion virus WannaCry), one of the cardiac surgeons reported [28] that in the midst of his cardiac surgery, several computers had a severe failure, however Fortunately, he still managed to successfully complete the operation.

How dangerous are ransomware viruses for the medical sector?

• On October 3, 2016, Mohammed Ali, the head of Carbonite, a company specializing in cybersecurity solutions, explained [19] on the Harvard Business Review pages that an ransomware virus is a type of computer virus that blocks a user from accessing his system; until the ransom is paid. The ransomware virus encrypts the hard drive - as a result of which the user loses access to information on his computer - and the ransomware virus requires a ransom for providing the encryption key. To avoid meeting with law enforcement, attackers use anonymous payment methods, such as Bitcoin. [nineteen]
• Mohammed Ali also reported [19] that distributors of ransomware viruses found out that the most optimal ransom price when attacking ordinary citizens and small business owners is from $ 300 to $ 500. This is the amount that many are willing to part with - in the face of the prospect of losing all their digital savings. [nineteen]
• On February 16, 2016, the Guardian news agency reported [13] that as a result of infection with an extortion virus, the medical staff at Hollywood Presbyterian Medical Center lost access to its computer systems. As a result, doctors were forced to communicate by fax, nurses - to write down the history of the disease in old-fashioned paper medical cards, and patients - to go to the hospital to personally take the test results.
• On February 17, 2016, the management of the Hollywood Presbyterian Medical Center published [30] a statement that read: “On the evening of February 5, our employees lost access to the hospital network. The malware blocked our computers and encrypted all our files. Law enforcement authorities were notified immediately. . 40 ($17000). , .. . , ».
• 12 2017 «New York Times» [28], WannaCry , . : « , ». - , .

, ?

• 9 2008 , , MIT, « : Plug and Play» [2]: «» – . , , , , . .
• 9 2009 , IT- « », – , – [2] : « , , – , . ».
• , – , , . , , . , . ( ), – . [2]
• , . , , , . , , – . , , – , . , . . , . . – , , . [2]
• 13 2017 , «Johns Hopkins Medicine», [17] «Harvard Business Review» : « , . , . . , , , . , . . ; – , ».
• , . , , , , . – 30% . « » – . « », , , .. , – , – . [17]

– ?

• 16 2016 , «Guardian», , , – , – . , . [13]
• 23 2014 , «Reuters» [12], . , , . .
• 18 2016 , MIT , : 1) ; – . , . 2) ; . 3) , - , . 4) , . 5) – , – . [14]
• . , , . , , . [12]
• , . - , . -, , , . [12]
• Dell, , , – , .. . «fullz» «kitz». $1000. [12]
• 1 2016 , MIT, [4], – , . , , ; , , – .
• , – , , – . , – , - ; , . , -, , . [four]

- ?

• 1 2017 ( «Brigham and Women's Hospital» ) ( ) [18] «Harvard Business Review» . .
• . , , , 2017 - WannaCry, . [18]
• 2016 «Hollywood Presbyterian Medical Center» , . ; . -. , . , – $17000 (40 ). , . , – , . . , – -. [19]
• , -, – , , . - – , ; . – . , , – , -. [19]
• – . , – - . - ; . , -; - . [19]
• , - WannaCry… (15 2017) [25], , Windows – XP ( , Windows). (22 2017) [29], WannaCry Windows XP , ; – Windows 7. , , WannaCry , , , – , – .
• , , , . , , , . [3]
• - – . – . , , . [19]
• , , , ; ( ) ; , . [19]
• , - : . , . [19]

, , WannaCry – ?

• 13 2017 , «Guardian», , - WannaCry, , [5] ( , ):
• , : . , - – . , . . , , , , . [five]
• , : , , . , – , . - , , . , , ; . – . . [five]
• Tatyana Ivanovna, nurse: On Monday we could not see the EMC of patients and the list of receptions scheduled for today. I was on duty at the reception of applications this weekend, so on Monday, when our hospital became a victim of cyber attack, I had to remember who exactly should come to the reception. Information systems of our hospital are blocked. We could not view the history of the disease, could not view the prescriptions for medicines; could not view the addresses and contact details of patients; filling documents; check the test results. [five]
• Evgeny Sergeevich, system administrator: Usually on Fridays after lunch we have the most visitors. So it was this Friday. The hospital was full of people, and at the reception of telephone requests 5 hospital staff were on duty, and their phones rang without ceasing. All our computer systems worked without failures, but at about 3:00 pm all computer screens turned black. Our doctors and nurses lost access to the EHR of patients, and the staff on duty at the reception of calls could not make applications to the computer. [five]

How can cybercriminals harm a plastic surgery clinic?

• According to the Guardian [6], on May 30, 2017, the Tsarskaya Guardia criminal group published confidential data of 25 thousand patients of the Lithuanian plastic surgery clinic Grozio Chirurgija. Including private intimate photos taken before, during and after operations (their storage is necessary in view of the specifics of the clinic's work); as well as scans of passports and social security numbers. Since the clinic has a good reputation and affordable prices, residents of 60 countries, including world-famous celebrities, use its services [7]. They are all victims of this cyber incident.
• A few months earlier, hacking into the servers of the clinic and stealing data from them, the “guardsmen” demanded a ransom of 300 bitcoins (about $ 800 thousand). The clinic management refused to cooperate with the “Guardsmen”, and remained unmoved even when the “Guardsmen” reduced the redemption price to 50 Bitcoins (about $ 120 thousand). [6]
• Having lost hope of getting a ransom from the clinic, the “guards” decided to switch to its clients. In March, they published photographs of 150 patients of the clinic [8] on Darknet in order to intimidate others and make them fork. "Guardsmen" requested a ransom of 50 to 2,000 euros, with payment in Bitcoin - depending on the fame of the victim and the intimacy of the stolen information. The exact number of patients subjected to blackmail is not known, but several dozens of victims contacted the police. Now, three months later, the “guards” published the confidential data of another 25 thousand clients. [6]

A cybercriminal stole a medical card - how does it threaten its rightful owner?

• On October 19, 2016, Adam Levin, a cybersecurity expert who heads the CyberScout research center, noted [9] that we live at a time when medical cards began to include an alarming amount of overly intimate information: about diseases, diagnoses, treatment and health problems. Once in those hands, this information can be used to extract benefits on the black market of Darknet, so cybercriminals very often choose medical centers as their target.
• On September 2, 2014, MIT Orkut, a technical expert at MIT, said [10]: “While stolen credit card numbers and social security numbers are on ever-increasing demand on the black market of Darknet — medical cards, with a rich set of personal information, there at a good price. This is also because they give uninsured persons the opportunity to receive medical care that they otherwise could not afford. ”
• A stolen medical card can be used to obtain medical care on behalf of the legal owner of this card. As a result, the medical data of its legal owner and the medical data of the thief will be mixed in the medical record. In addition, if a thief sells stolen medical records to third parties, the card may be contaminated even more. Therefore, having come to the hospital, the legal cardholder risks receiving medical care that will be based on someone else’s blood group, on someone else’s medical history, on someone else’s list of allergic reactions, etc. [9]
• In addition, a thief can exhaust the insurance limit of the legal holder of a medical card, which will make it impossible for the latter to receive the necessary medical care when it is required. At the wrong time. After all, many insurance plans have annual restrictions on certain types of procedures and treatments. And certainly, no insurance company will pay you for two appendicitis operations. [9]
• Using a stolen medical card, a thief can abuse prescriptions for drugs. At the same time depriving the rightful owner of the opportunity to obtain the necessary medicine when he needs it. After all, prescriptions for medicines are usually limited. [9]
• Eliminating massive cyber attacks on credit and debit cards is not so problematic. Protection against targeted phishing attacks is a bit more problematic. However, when it comes to theft and abuse of an EHR, a crime can be almost invisible. If the fact of a crime is revealed, it is usually only in an emergency situation, when the consequences can be literally life-threatening. [9]

Why is the theft of medical cards so much in demand?

• In March 2017, the Center for Combating Identity Theft reported that more than 25% of confidential data leaks came from medical centers. These leaks cause medical centers an annual loss of $ 5.6 billion. Below are several reasons why the theft of medical cards is in such increasing demand. [18]
• Medical cards - the most popular product on the black market Darknet. Medical cards are sold there for $ 50 apiece. For comparison, credit card numbers are sold at Darknet for $ 1 each - 50 times cheaper than medical cards. The demand for medical cards is also due to the fact that they are consumables as part of comprehensive criminal document fraud services. [18]
• If the buyer of medical cards is not found, the attacker can use the medical card himself and carry out traditional theft: medical cards contain enough information to get a credit card, open a bank account or take a loan on behalf of the victim. [18]
• Having a stolen medical card, cybercriminals, for example, can conduct a complex targeted phishing attack (figuratively speaking, sharpen a phishing spear), posing as a bank: “Good afternoon, we know that you are going to go for an operation. Do not forget to pay for related services by clicking on this link. ” And then you think: "Well, since they know that I have an operation tomorrow - surely this is indeed a letter from the bank." If an attacker fails to realize the potential of stolen medical cards here, he can use an ransomware virus to extort money from the medical center for restoring access to blocked systems and data. [18]
• Medical centers are very slowly introducing cybersecurity methods - which have already been developed in other industries - which is quite ironic, since it is the responsibility of medical centers to ensure medical confidentiality. In addition, medical centers, as a rule, have significantly lower cyber security budgets and substantially less qualified cyber security specialists - than, for example, financial institutions. [18]
• Medical IT systems are tightly tied to financial services. For example, medical centers may have flexible savings plans for contingencies, with their own payment cards or savings accounts — in which six-digit sums are stored. [18]
• Many organizations collaborate with medical centers and provide their employees with an individual wellness system. This allows the attacker, through hacking medical centers, to gain access to confidential information from corporate clients of the medical center. Not to mention the fact that the employer himself can play the role of an intruder by selling quietly the medical data of his employees to third parties. [18]
• Medical centers have extensive supply chains and massive lists of suppliers with whom they have established a digital connection. By hacking the medical center's IT systems, an attacker can also capture supplier systems. In addition, providers tied to a digital communications medical center are in themselves a tempting entry point to the medical center's IT systems for the attacker. [18]
• In other areas, protection has become very sophisticated, and therefore attackers had to master a new sector, where transactions are carried out through vulnerable equipment and vulnerable software. [18]

How are the thefts of social security numbers related to the criminal document fraud industry?

• On January 30, 2015, the Tom's Guide news agency explained [31] how the usual falsification of documents differs from the combined one. In the simplest case, the falsification of documents is that the fraudster simply pretends to be some other person, using her name, social security number (SSN) and other personal information. Such a fact of fraud - it is discovered quite quickly and easily. With a combined approach, the bad guys create - a completely new personality. Forging a document, they take a real SSN and add to it pieces of personal information from several different people. This Frankenstein monster, made from the personal information of different people, is much more difficult to detect than the simplest forgery of a document. Since the fraudster uses only some of the information of each of the victims - his fraudulent frauds will not communicate with the legal owners of these fragments of personal information. For example, when viewing the activity of your SSN, its rightful owner will not find anything suspicious there.
• Bad guys can use their Frankenstein monster to get a job or take a loan [31], as well as to open fictitious companies [32]; for making purchases, obtaining driver’s licenses and passports [34]. At the same time, even in the case of taking a loan, it is very difficult to track down the fact of falsification of documents, and therefore if bankers start investigating, then the legitimate holder of one or another piece of personal information, rather than the creator of Frankenstein’s monster, will most likely be called to answer.
• Unscrupulous entrepreneurs can use falsifying documents to defraud creditors, by creating so-called. business sandwich. The essence of a business sandwich is that unscrupulous entrepreneurs can create several fake personalities and present them as clients of their business - thus creating the appearance of a successful business. So they become more attractive to their lenders and get the opportunity to use more favorable credit conditions. [33]
• The theft of personal information and its abuse - often for a long time remains unnoticed by its rightful owner, but can cause him considerable inconvenience, at the most inappropriate time. For example, the legal owner of an SSN may apply for social services, and be refused - because of the excess income that has arisen as a result of a fabricated business sandwich that uses his SSN. [33]
• Since 2007 and up to now, the multibillion dollar criminal business of forging documents based on SSN is gaining increasing popularity [34]. At the same time, fraudsters prefer those SSNs that are not actively used by their legal owners - these include the SSN of children and the dead. According to the information agency "CBC", in 2014, monthly incidents were counted in thousands, whereas in 2009, there were no more than 100 per month. The exponential growth of this type of fraud - and especially its impact on the personal data of children - will have dire consequences for young people in the future. [34]
• Baby SSNs are used in this fraudulent scheme 50 times more often than SSN adults. Such an interest in children’s SSN is due to the fact that children’s SSN is generally not active until at least 18 years of age. So if the parents of minor children do not keep abreast of their SSN, then their child may be denied in the future to issue a driver's license or to issue a loan for education. It can also complicate employment - if information about suspicious SSN activity becomes available to a potential employer. [34]

Today there is a lot of talk about the prospects and security of artificial intelligence systems. How is this in the medical sector?

• In the June 2017 issue of MIT Technology Review, the editor-in-chief of this magazine specializing in artificial intelligence technologies, published his article The Dark Side of Artificial Intelligence, which answered this question in detail. Key points of his article [35]:
• Modern systems of artificial intelligence (AI) are so complex that even the engineers designing them cannot explain how AI makes this or that decision. Today and in the foreseeable future, it is not possible to develop an AI system that can always explain its actions. The technology of “deep learning” turned out to be very effective in solving the pressing problems of recent years: image and voice recognition, language translation, medical applications. [35]
• There are significant hopes for AI for diagnosing fatal diseases, for making difficult economic decisions; and it is also expected that AI will become central to many other industries. However, this will not happen - or at least should not happen - until we find a way to make such a deep learning system that can explain the decisions that it makes. Otherwise, we will not be able to predict exactly when this system will fail - and it will definitely give it sooner or later. [35]
• This problem has become urgent now, and in the future it will only get worse. Whether economic, military or medical decisions. Computers running the appropriate AI systems have programmed themselves, and in such a way that we have no opportunity to understand what they have in mind. What to say about end users when even the engineers who design these systems cannot understand and explain their behavior. As the AI ​​systems evolve, we may soon cross the line — if we haven't crossed it already — when, relying on the AI, we need to take a “leap of faith.” Of course, as humans, we ourselves cannot always explain our conclusions, and often rely on intuition. But can we allow machines to think in the same way - unpredictable and inexplicable? [35]
• In 2015, Mount Sinai, a medical center in New York, was inspired to apply the concept of in-depth training to its extensive database of case histories. The data structure used for teaching the AI ​​system included hundreds of parameters that were set based on the results of tests, diagnostics, tests and medical records. The program that processed these records was called the Deep Patient. She was trained using records of 700 thousand patients. When testing new entries, it proved very useful in predicting diseases. Without any interaction with the expert, “Deep Patient” found the symptoms hidden in the case histories - which, according to the AI, indicated that the patient was on the verge of extensive complications, including liver cancer. We have already experimented with various methods of prediction, which used as the initial data the medical records of many patients, but the results of the “Deep Patient” do not compare with them. In addition, there are completely unexpected achievements: “Deep Patient” very well predicts the onset of mental disorders, such as schizophrenia. But since modern medicine does not have the tools to predict it, the question arises how the AI ​​managed to do this. However, the “Deep Patient” is not able to explain how he does it. [35]
• Ideally, such tools should explain to doctors how they arrived at a particular conclusion — in order, say, to justify the use of a particular medicine. However, modern artificial intelligence systems, unfortunately, do not know how. We can create similar programs, but we do not know how they work. Deep learning has led the AI ​​system to explosive success. , , . – , . , ? [35]

WannaCry?

• 25 2017 «» , [16] – , . : .
• «» [16], , 8000 ; , WannaCry, 17% . , WannaCry, 5% . , 60 .
• 13 2017 , WannaCry, , «Johns Hopkins Medicine» [17] «Harvard Business Review» , – .
• 15 2017 , WannaCry, , , [15] «Harvard Business Review» , , – .
• 20 2017 , WannaCry, , – «Brigham and Women's Hospital», [20] «Harvard Business Review» , , . , . 34 . , . .

?

• 2006 , - [52]: « . . , . , 10 20 . , , , ».
• 3 2016 , IBM Hewlett Packard, «Carbonite», , – [19] «Harvard Business Review» : « - , , CEO , . , CEO IT-. . : 1) - ; 2) ; 3) ».
• . [18], : « – . , . , , , , , – , ».
• On May 19, 2017, the BBC News Agency reported [23] that in the UK, sales of security software increased by 25% after the WannaCry incident. However, according to Verizon, a panicky purchase of security software is not what is needed to ensure cybersecurity; to ensure it you need to follow proactive protection, and not reactive.

PS Like this article? If yes, put a like. If by the number of likes (let's type 70) I see that Habr's readers have an interest in this topic, I will prepare a sequel after some time, with an overview of even more recent threats to medical information systems.