Social Engineering: Medical Data
Monday, November 1st, 2010Continuing on my wild ramble regarding people not valuing personal data… today I’ll have a quick ramble about medical data. Not long ago, I got a letter from the NHS stating that they were going to enrol me in their all-singing and all-dancing new database. Charming… I could opt out beforehand (if I wanted to), but once I was in the system I couldn’t be removed. So I filled out the opt out form, and walked down to my local GP.
At the GP’s office, the lady at the front desk took my opting out personally. She started telling me that if I had an accident, the hospital would not know if I was allergic to medicines, and they may even not be able to treat me. More than a little annoyed, I explained that given the track record of the NHS, I would rather all my medical paperwork was kept in a locked filing cabinet at the GP, or even better, shredded! My medical history isn’t that interesting anyhow, so I didn’t really care.
Queue the statement “what do you have to hide?”; “it’s just your medical history, why do you care if it goes public?”.
…groan…
Leaving aside the potential for embarrassing issues to be made public – which I have none – in fact, I’m quite open about my annual medical accident where I break a bone or two and end up with a good few stitches… In fact, I’m on a first name basis with the nurses at the A&E at my local hospital! but that’s another story… where was I now, oh yeas, leaving aside the potential for embarrassing issues (what politician would like to find out that his rival was treated for erectile dysfunction? or maybe find out that the latest pro-life campaigner had an abortion?) there is a quite worrying case that is becoming more and more common in Italy… so much so that it was reported on the news a few weeks ago.
Let’s set the scene… kind old lady, needs a weekly shot of her medication. Hence, the local hospital sends two nurses around on a weekly basis to administer her drugs.
Queue the bad guys who got their hands on her medical records.
An hour before her usual drug appointment, the lady’s doorbell rings. Two strangers in white coats say that the hospital sent them, that the usual guys are out sick, and they are the replacements. They realise they are a bit early, but as they are new, they split the rounds. They know exactly what drugs she is waiting for, confirm her condition, birth date and a lot of her medical details – “for security of course”. Clearly, the little old lady doesn’t want to lose her medication, so she opens the door and lets them up to her flat.
At this point, most people think “uh-oh, they will rob her”. Sadly, it’s even more devious than simply tying her up and robbing her flat. Instead, they are perfect nurses, and they administer her drugs. Which just happen to be a strong narcotic this week. We can now start the timer, and they have a little under an hour before the real nurses come by… that’s a little under an hour to totally empty the flat, taking anything of any value.
An hour later, the doorbell wakes up the little old lady, who finds her handbag, and flat, much emptier…
Now, this is so shocking to many that it seems like a made-up scenario. Sadly, this has happened, and is currently happening… sadly, it will also continue to happen unless people start valuing their personal data; and maybe thinking about the security of their data along with that of their wallet!
M.