Data manipulation heralds a new era of hacking
Here’s one of the nightmares I’ve occasionally had over the past two years: a healthcare entity gets hacked, but instead of patient data being stolen, it’s corrupted, leading to inaccurate patient medical records that result in wrong treatment or even fatal mistakes.
Has it already happened? Data corruption is a risk that has always been mentioned in the context of medical identity theft if someone else uses your identity information to obtain medical care, but I’ve never seen any public reports of patient records being maliciously corrupted by hackers. But the risk of data corruption has always been recognized, as Jason Hart writes this week on SC Magazine:
When we think of data breaches, we picture instances where a large amount of customer data has been stolen from a business or organisation, such as the recently disclosed Yahoo hack.
Whilst much of the IT security industry is focussed on preventing data theft, there’s another element that needs to be considered: data manipulation. The risks data theft poses to businesses are well understood. However, the dangers of data manipulation, where hackers damage the integrity of the data, are only just beginning to become clear, as it is harder to detect and prevent, because nothing is stolen.
So assume an entity does not know its patient records have been maliciously and intentionally corrupted. What “best practices” should entities routinely follow to determine if that’s happened? What “best practices” should entities follow to ensure that in the event that they do detect a problem, they have a clean and accurate backup? Because if you don’t know it’s happened or when it’s happened, can you even rely on your backups?
Will the next generation of ransomware be of the form, “Pay us and we’ll tell you what records we corrupted or restore your clean files, and if you don’t pay us, you may not know what patients have had their records altered.” ?
Like I said, it’s one of my nightmares – not as a healthcare professional, because I don’t prescribe or have responsibility for life or death medical decisions – but as a member of the public who relies on doctors having her and her family’s accurate medical records.