DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Data manipulation heralds a new era of hacking

Posted on November 26, 2016 by Dissent

Here’s one of the nightmares I’ve occasionally had over the past two years: a healthcare entity gets hacked, but instead of patient data being stolen, it’s corrupted, leading to inaccurate patient medical records that result in wrong treatment or even fatal mistakes.

Has it already happened? Data corruption is a risk that has always been mentioned in the context of medical identity theft if someone else uses your identity information to obtain medical care, but I’ve never seen any  public reports of patient records being maliciously corrupted by hackers. But the risk of data corruption has always been recognized, as Jason Hart writes this week on SC Magazine:

When we think of data breaches, we picture instances where a large amount of customer data has been stolen from a business or organisation, such as the recently disclosed Yahoo hack.

Whilst much of the IT security industry is focussed on preventing data theft, there’s another element that needs to be considered: data manipulation. The risks data theft poses to businesses are well understood. However, the dangers of data manipulation, where hackers damage the integrity of the data, are only just beginning to become clear, as it is harder to detect and prevent, because nothing is stolen.

So assume an entity does not know its patient records have been maliciously and intentionally corrupted. What “best practices” should entities routinely follow to determine if that’s happened? What “best practices” should entities follow to ensure that in the event that they do detect a problem, they have a clean and accurate backup? Because if you don’t know it’s happened or when it’s happened, can you even rely on your backups?

Will the next generation of ransomware be of the form, “Pay us and we’ll tell you what records we corrupted or restore your clean files, and if you don’t pay us, you may not know what patients have had their records altered.” ?

Like I said, it’s one of my nightmares – not as a healthcare professional, because I don’t prescribe or have responsibility for life or death medical decisions – but as a member of the public who relies on doctors having her and her family’s accurate medical records.

 

Category: Commentaries and AnalysesHealth Data

Post navigation

← 18-Year-Old “Computer Genius” Charged with Launching DDoS Attacks
Report holds Hitachi responsible for debit card data theft →

1 thought on “Data manipulation heralds a new era of hacking”

  1. Anonymous says:
    November 28, 2016 at 12:34 am

    How does an entity know their data hasn’t been tampered with? I’ve been arguing this a long time. It’s an ideal attack. Even if an organization is told “here’s your original data” how would the organization know? That is essential.

    Backups are only retained for a certain period. We keep backups around monthly for a year, but it’s not at all reasonable to restore a month-old backup and resume service based on that. The point of the months old backup is simply financial. Restoring that backup for healthcare is not at all reasonable. At some point, we may have to take the loss of healthcare data if the data is compromised. That scares the hell out of me.

    I do my best to secure our data, but I know how easy it is to be lazy. I think my clients are in relatively good shape. However I know what’s at stake and have a lot of doubts about our counterparts. It’s very scary.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Estonia launches international search for Moroccan citizen wanted over data theft
  • Now it’s Tiffany: Another LVMH luxury brand hit by hackers
  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)
  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.