In the previous article in the ThreatModeler series about the Collateral Damage of a data breach, we looked at the potential damage that could occur if hackers were able to acquire just a single username and password for an individual. Now, let’s take a look at the collateral damage of an electronic health records data breach.

In 1996, the US Department of Health and Human Services issued the Healthcare Insurance Portability and Accountability Act (HIPAA) to protect individual privacy and secure sensitive information processed by the healthcare system. HIPAA guidelines, rules and regulations set national standards for healthcare transactions and the protection of health records. At the end of 2014 HIPAA enforced the Security Rule – a legislature mandating that all medical records be put into electronic format as an Electronic Health Record (EHR).

The purpose of an EHR is to make the information necessary for an individual’s medical care easily accessible for healthcare providers. Consequently, most computer systems in the healthcare industry are designed around the principle of sharing data. This functionality is in addition to the operating of medical machinery and devices. The need for data sharing in the IT ecosystem makes the healthcare industry more of an attractive target for hackers.

Electronic Health Records Data Breach of Premera Blue Cross Blue Shield

The year 2015 was a record for healthcare related data breaches. A number of hacks within healthcare systems occurred, including Anthem Blue Cross (78 million affected) and Excellus BlueCross BlueShield (10+ million affected). The Premera BCBS breach in May of 2014 resulted in the Electronic Health Records Data Breach and theft of 11 million health records. The breach was not detected until eight months later, and was only made public by Premera in March of 2015. During that time the attackers had complete access to sensitive information including individual names, dates of birth, email addresses, street address, telephone numbers, Social Security numbers, member identification numbers, bank account information, and claims information.

From EHR to medical devices, to systems that measure and administer prescription drugs, there are a number of different IT infrastructures that are targeted. Whatever the target, the potential outcome for individual patients can be detrimental. The purpose of a data breach involving healthcare records can be for monetary gain (obtain payment information), to defame an individual or group (e.g., target planned parenthood), compromise an organization’s operations or, in worst cases, put people in danger of healthcare risk.

At the very least, hackers can target a poorly secured healthcare facility to compromise patient private records. In more severe instances, a hacker can gain restricted access to a healthcare facility, tamper with a medical device’s operating system and manipulate its functionality, placing wearers of the device in harm’s way. In other instances, to reduce market competition, hackers may sabotage the deployment of a device release. In another instance, the bad actor may manipulate patient records so that the incorrect therapy is prescribed, in some cases, with cold blooded motivation.

The following are additional collateral damages that may occur as a result of a data breach:

Costly and life-threatening miscommunication: Cold blooded motivation would be one of the worst-case cybercrime scenarios here. What would happen if an individual came into an emergency room from an accident and, because his or her EHR was modified, given the wrong medication or an infusion of the wrong blood type? It would be an effective way to commit murder and get away with it. Administering incorrect therapy due to illegal tampering of records can also pose an injurious threat to a person’s health.

Increased premiums, loss or denial of coverage: Unauthorized changes to an individual’s records could also result in misinterpretation of an individual’s true health condition and change the factors that dictate the cost of health or life insurance premiums. What would be your recourse in such a case?

Potential malpractice accusations and risk: Not only is a patient’s safety and privacy a concern when attackers strike, but the ripple effect on medical professionals who are treating patients with altered records could also suffer. The high premiums of malpractice insurance is one of the driving forces of everyone’s healthcare costs.

Public embarrassment and loss of job: What if your prior treatment for mental health or another condition was publicly revealed? Individuals may face the trauma of public embarrassment, scrutiny or the fear of losing your job.

Targeted scam attacks: What would happen if your prescription details or ailment information was sold to scammers with offers of cheap medication or treatment? Acting upon such offers could result in severe health complications. Furthermore, what if you were not interested in such offers? If the scammers have your email address and doctor’s name it would be relatively easy to create a convincing email that installs malware on your computer. Then all the information on your computer would become available for the taking.

Biometrics Data: With the emergence of biometrics data, unique dangers emerge, partially due to the permanence of identifiers such as fingerprint data. Like other personally identifiable information (PII), once released, biometric data poses continual risk to the victim. As more applications utilize biometrics data for login credentials, hackers may further compromise a user’s PII with whatever device s/he stores it on. Cybercriminals may also use biometric data to track and detect locations where people visit, e.g. secured perimeters.

It is hard to wrap your head around the scope of an Electronic Health Records Data Breach. When credit card information is compromised, the shelf life is pretty short, restitution is swift, and everyone moves on. But medical information is highly sensitive, and its shelf-life is the lifetime of the individual. The collateral damage to an individual could extend much further than simply ruining his or her credit –  it could even be deadly. How, then, will a mere two years of credit monitoring genuinely help? Organizations need to take as proactive approach to securing sensitive data.

ThreatModeler Helps Healthcare Organizations to Understand Their Attack Surfaces

The private and sensitive data that a healthcare organization processes takes on multiple purposes. This poses a threat on a privacy, operational and safety level. In order to get a better understanding of an organization’s risk, it is important to review the different healthcare assets within an organization.

ThreatModeler is an automated tool that can help organizations to map out their IT infrastructure – from web, to mobile, to IoT-embedded applications – to paint a clear picture of their attack surface. Healthcare security managers can prioritize their strategy to manage risk. To learn more about how ThreatModeler™ can help your organization build a scalable threat modeling process, book a demo to speak to a ThreatModeler expert today.






ThreatModeler revolutionizes threat modeling during the design phase by automatically analyzing potential attack surfaces. Harness our patented functionalities to make critical architectural decisions and fortify your security posture.

Learn more >


Threat modeling remains essential even after deploying workloads, given the constantly evolving landscape of cloud development and digital transformation. CloudModeler not only connects to your live cloud environment but also accurately represents the current state, enabling precise modeling of your future state

Learn more >


DevOps Engineers can reclaim a full (security-driven) sprint with IAC-Assist, which streamlines the implementation of vital security policies by automatically generating threat models through its intuitive designer.

Learn more >