Stolen EHR Charts Sell for $50 Each on Black Market

April 28, 2014

Physicians can expect criminals to increasingly target their electronic health records (EHRs) for patient information that they can sell on the black market for $50 per chart, warns the FBI.

The agency's Cyber Division issued a memo earlier this month forecasting what already has become apparent with every hacked hospital Web site and stolen physician laptop — criminals see a golden opportunity in healthcare information technology. It's an opportunity born of the mandatory shift to EHRs, laxer safeguards in healthcare compared with those in the retail and financial sectors, and "a higher financial pay-out for medical records in the black market," according to the FBI.

The proliferation of EHR systems coupled with more and more medical devices connected to the Internet, the FBI said, "is generating a rich new environment for cyber criminals to exploit."

The federal program to encourage "meaningful use" of EHRs with bonuses and penalties has contributed to this state of vulnerability, said Steven Waldren, MD, an information technology expert and senior strategist with the American Academy of Family Physicians (AAFP).

The meaningful-use program, Dr. Waldren told Medscape Medical News, has pushed some medical practices to implement EHRs even though they weren't exactly ready to. "You have more naïve organizations from a technical standpoint adopting these things," said Dr. Waldren. And that naïveté extends to protecting patient information.

The organizations most vulnerable to hackers and identity thieves, added Dr. Waldren, are small physician practices and small community hospitals with scarcely any money to make the investments in data security that large hospital systems do.

Healthcare IT Professionals Overconfident About Defenses

The FBI memo is largely a compilation of findings from three information technology firms — EMC, the SANS Institute, and the Ponemon Institute, the latter two specializing in data security.

Citing a SANS Institute report released in February, the FBI stated that the healthcare industry "is poorly protected and ill-equipped to handle new cyber threats exposing patient records, billing and payment organizations, and intellectual property." Almost all things digital in healthcare are getting compromised — radiology imaging software, medical devices, faxes, printers, virtual private networks, and routers. To make matters worse, healthcare information technology (IT) professionals believe that their defenses are adequate "when clearly the data states otherwise."

A 2013 report from the Ponemon Institute describes how extensive cyber crime in healthcare has become. Sixty-three percent of healthcare organizations surveyed by the organization experienced a data breach in the previous two years, with most of them resulting in stolen "information assets," according to the FBI.

How much those assets are worth is detailed in a 2013 report issued by EMC. A stolen credit card or Social Security card sells for $1 on the black market, but just a portion of a patient's EHR goes for $50, according to EMC, which attributes the information to the World Privacy Forum. Identity thieves can use patient data to obtain free medical care, including prescription drugs, or open new credit accounts, said EMC. They also can use pilfered information about a physician to file bogus insurance claims.

Doable Defenses

Physicians aren't helpless in the face of data thieves. The AAFP's Dr. Waldren recommends protective measures that are doable even in a solo practice.

  • Keep your software up-to-date and install all security "patches" offered by the vendor. "They plug holes that hackers can exploit to get into a system," said Dr. Waldren.

  • Install only those applications on office computers that are needed to operate the practice. Letting an employee install an "instant messenger" program on his or her computer is asking for hacker trouble.

  • Likewise, restrict the kinds of Web sites that employees can visit on company computers. Some sleazy sites are engineered to let hackers enter the practice's system.

  • Talk to your EHR and billing software vendors about encrypting data on laptops, smartphones, and other mobile devices.

  • Don't forget to establish rules for physically securing mobile devices as well. A laptop sitting on the backseat of a car invites a break-in. Why not put it in the trunk?

  • Also ask your software vendors about the best practices that they recommend for customers. What's their advice on operating a wireless network in the office, for example?

  • If you have an EHR that runs on a client-server network in your office, consider switching to an online, cloud-based system. "Having the server in the office pushes security requirements to the end user," said Dr. Waldren. Because the remote server of a cloud-based EHR system stores patient data from multiple medical practices, it may appear to be a more tempting target for hackers, but a large vendor has more resources to protect those assets than a single medical practice tending an office server, he said.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.