Also in this playlist...
This transcript is automatically generated
It's worth more to criminals than your Social Security number or your credit card.
And in many cases it's less secure.
I'm talking about your medical records we wanted to find out just how easy it was for the bad guys to steal your medical data so we decided.
To try it ourselves the results were shocking.
I sat down with cyber security expert Chris why so -- And with nothing more than -- laptop and an Internet connection we were able to access a vast trove of personal.
Information so Chris I know that people have been stealing things off of the Internet for ever but now you're saying that they're stealing medical records.
What is it they're getting.
That's right credit card information that song for a while financial information but health records are turning out to be extremely valuable.
On the black market because a great information is in there for criminals and identity theft so security numbers did -- birth your name.
Your address financial information.
It's a gold mine for criminals.
The numbers that are out there in the public purview 92% of health care systems have been breached compromised in some way that seems like.
That's a lot yeah that's yes -- the health and human services tracks.
Breaches under the -- Act and.
92% of the organizations that are out there that we've surveyed.
Have had to report a breach to health and human services actress wears this information stored so the information is stored on -- server it could be.
-- simply just a machine and if someone's desk at a small.
Or it could be you know any data center of a major hospital that's -- store but the key is -- systems are connected to the Internet.
Because the information has to go from one organization for -- another in remote employees have to access the state.
US access to it it's supposed to be your health care providers your doctor your nurses the other clinicians that.
Did that take care of you.
The problem is once these systems are connected to the Internet and there is vulnerabilities in the systems.
That means that attackers over the Internet.
Can get axis of this -- -- so aren't these systems supposed to be secure I mean as a patient I wanna think that my information isn't being stolen left right center.
Well there's a law called hip which is to protect your medical privacy -- the law says that anyone who can -- is your medical.
Information has to protect -- to protect your privacy.
But the problem is as we see -- all over the Internet the technology we're using the software the operating systems the way they're being maintained.
They have lots of vulnerabilities and when we testing systems we almost always get -- I wanna see doctors.
-- -- front door if you well.
Short so it's really easy to find the front door when an attacker wants to -- electronic medical records.
What they can do is they can use the search engine like Google to just search for the words -- again.
Password and health.
And they'll get thousands of sites that are connected to the Internet.
That he can be pretty sure this health -- information behind that that login screen so we're really searching here we're searching.
We're -- password login and how does the three words and these different web sites are going up coming up.
-- if I just click on one here.
You can see the login page so presumably if I worked in some kind of health where health care facility.
This is what I would log into every day.
It exactly if you were if you were if you -- doctor you're a nurse you have a site where you -- -- need having username and password.
The thing is when there's a vulnerability in the software that often can be bypassed you do this all the time you're testing people's systems to make sure that they are secure.
You're -- they're not secure -- how you breakthrough this what you do if you fingerprint what kind of software is running.
You go look up in a vulnerability -- there's one called the national vulnerability database sponsored by DHS which lists all the vulnerabilities in these systems.
And do a search.
For that piece of software.
And when we do that search you'll see that a list of vulnerabilities is coming up here.
Something called sequel objections something called on restricted file upload process scripting these are all different types of vulnerabilities that.
To get right into -- system running that's how can anybody get into this database gets -- public the public database and when you when you when you dive down into one of these.
You can actually.
It's links right to the way to exploit the information -- the thick -- It -- -- basically cookbook instructions on how to do that and then what I'll do is I'll take that and I'll put it in tool called sequel map.
Which will then attack that system and extract all the data from it.
But here you can -- to see things like drug inventory cuts start and play data.
He's a different fields that are in the database.
I didn't realize it was that much data.
That -- -- History day that immunizations.
Insurance company -- -- here telling me that anybody -- virtually get this information that's right and so I think the primary reason people are doing this is for identity theft because that's a valuable.
So let's look.
-- what we're doing here is really -- simulation because.
We can't really do this without getting in trouble right.
Right but this is real medical.
Electronic medical record software.
That is is -- rarely available that people all over the -- -- it's got its -- thousands of places and we just install their own copy to attack.
So I think this is so important because right now the government is requiring a lot of these records to be put on line to be put on the web in the Internet.
And fact the government itself says -- at a tipping point where now most records are online we expect all of them to be on line what does that mean for safety.
Yes and that's what really concerns me is you know their.
Is a natural course to adopting technology where the more sophisticated organizations the larger city hospitals and things like that we'll start with -- And they have the IT staffs they have the capability.
To secure those systems.
But when you force people to install software.
They don't they don't know what to do they don't know how -- our processes in the smaller systems and a smaller.
Medical colleges and schools and when -- -- and when there's a deadline it's got to be done quickly and when things are very quickly oftentimes security is left by the ways tests us.
Filter by section