Tuesday, May 14, 2024

Another Hacking Trick used against Healthcare Offices...


As almost everyone now knows, you should *never* click on a file emailed to you without first making sure it is authentic.  Even then there are risks, but by contacting the people or organization that supposedly sent the file, you can eliminate the majority of that risk.

Generally speaking, in the chain of security, the human element is the weakest link.

This is especially true when faced with well thought out social engineering schemes.  The person attempting to start a breach will usually try to put the target into a panic, which helps them because when humans panic, we tend not to think as clearly.  In my office, we once got a call from someone claiming to be from the local power company telling us they were going to shut our power off in one hour unless we paid the bill. They told us that they could take care of it with a credit card, but that we had to give them the number NOW or we were going dark.

 Of course, we panicked.  It was only when someone had the presence of mind to ask if they could give us our account number along with the date and amount of our last payment that we figured out it was a scam.  The person on the other end of the phone call couldn't answer those questions.

Along similar lines, I've learned of another social engineering scam.  The office receives an email that is faked to appear to be from the state medical or dental board.  A complaint is alleged and a file is attached that supposedly contains the complaint.  Of course, in a panic people click on the file and in addition to opening a fake complaint, it also installs a file that allows the criminals access to and control of the network.

This scam has been used with some success against plastic surgery offices.  The worst part of this scam for those offices *and* the patients is that hackers then download all the patient files and use what is in them to extort money from the office.  Some offices that have been hit have had the worst possible scenario evolve out of it.  The hackers are then posting photos of patients that were taken pre and postoperatively.  Being in the practice of cosmetic surgery, many of the photos are of patients disrobed.  Hackers have been posting these images in publicly accessible websites.  You can imagine the humiliation that patients face when they learn that photos are online of them not wearing clothes.  Some of the sites have gone as far as to post the patients' contact info with the images.

The lesson here is to NEVER click on a link or any file from an outside source without verifying its authenticity.  Data security breaches are increasing in the healthcare sector every year and we all need to do everything we can to protect the patients we care for.


  1. One half-way decent way of detecting this is to NOT use Microsoft Windows for storing your data. Store your image data on a Linux fileshare. Then monitor reads and writes. Determine what a typical day looks like...i.e. when a new patient has photos or x-rays taken, you'll probably see a bunch of writes. When an existing patient comes back, you'll probably see a handful of reads. Use that as a baseline.

    Start "scoring" file access by IP and/or user.

    If a computer reads a file (which is normal), give them a point per file. If a computer writes a file (which is a bit more rare), give them 2 points. When a computer starts deleting or renaming files (which almost never happens as the patient record is supposed to be preserved) give them 5 or 10 points.

    When an IP (workstation) or a user gets over a certain number....say 30 points in a certain time....say 60 minutes...page an IT guy to investigate. If they go over a higher number (maybe 50 points), drop that IP in the storage devices firewall. For good measure you could also drop it in the router so it can't talk to the internet. For even more winning, drop the switch port.

    From there, get more geeky. Every time a file is read, grab its mime type. i.e. a workstation just read 2344536.jpg and it's mime type is "image/jpeg". If the file is written to (who writes over top of xrays?) and the mime type is suddenly NOT "image/jpeg"...there's definitely a problem. Who is re-writing JPEG files to contain non-JPEG data? Perhaps it's time to page an IT guy and drop-kick a workstation off the network because Cryptolocker appears to be active...

  2. Thanks for all of that Aaron. I was hoping you'd comment. These kinds of attacks need to be stopped somehow. Once the data is out there, there are no assurances that images and info won't be used to extort people again and again.

    You've got search an inside perspective on this... the healthcare industry *needs* more people like you.

    Drop me DM on X . I'd like to discuss more.

  3. Thanks John, but I no longer have an account on X. Feel free to shoot me an email. If you don't see it as part of the account I'm posting from, let me know.

  4. Aaron, I don't see it. Perhaps I'm just blind. Let me know how you'd like to reach out. I'm on FB and IG, maybe one of those will work...

    1. Looks like I have an old LinkedIn account. I shot you a message there.