Computer Crime is the misuse of a computer or associated electronic networking system in order to commit illegal and unlawful acts. Computer crimes range from the illegal use of the internet to the unlawful accessing of information stored in computer systems.  In 1984, my husband Peter Finn, who is an attorney, and I wrote an article for Computerworld, a technology publication, entitled “Don’t Rely on the Law to Stop Computer Crime”. That title is equally relevant today.

In the article, we discussed the case of New York v. Weg which illustrated how difficult. computer crime statutes can be to uphold.  A Judge in the New York Superior Court dismissed the theft of services charge against a computer system manager employed by the New York Board of Education who used school computers to trace the genealogy of horses and create a handicap system for betting. The Court found that the individual had not committed a criminal act because the school system had given him general cyber access to the computer.  However, if he had plugged into a public computer system without permission his acts may have constituted a criminal offense.

In 1984, computer abuse referred to financial crime, information crime, theft of property, theft of services and vandalism.  Today, the problem has become much more complex and widespread and we call it cybercrime.  Cybercrime has many facets including the following:
• Cyberterrorism, the most insidious, is defined as an act of terrorism committed through the use of cyberspace or computer resources., organized by groups with the deliberate intent to harm, cause fear, demonstrate power, and collect information that could potentially damage lives and businesses and destroy government property.
• Hacking –  a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge. The subculture that has evolved around hackers is often referred to as the “computer underground.”  This category of computer crime includes: spreading computer viruses, malware (malicious embedded code) and denial of service attacks.
• Cyber extortion are crimes committed by a selected group of criminals who use the computer as a tool to get specific he data that is stored and use that information for illicit purposes. As technology evolves, so too does the nature of the crime, which helps to explain how unprepared society, and the world in general is towards combating these crimes.
• Cyber-based copyright infringement or the unlawful possession or distribution of intellectual property, e.g. music or books, obtained through illegal means.

Healthcare Care and CyberCrime

Healthcare cybercrime is a growing criminal field. The healthcare sector represents an easy target for cyber criminals because patient information such as social security numbers, insurance ID numbers, credit card numbers, personal addresses and medical history are  tremendously valuable assets that can  easily be used to commit fraud, financial theft, and identity compromise.  A stolen credit card can be cancelled and fraudulent charges disputed, but resolving medical identity theft is not as straightforward. Medical records sell for 10 to 20 times more than credit card records.  There is also a particularly insidious type of healthcare cybercrime where uninsured patients use a stolen identity belonging to another person to access healthcare resources, including forged prescriptions, inpatient or outpatient care, or fraudulent healthcare lawsuits.

The Department of Health and Human Services reported in 2015, that 15 healthcare data breaches that year, affected well over 110 million people.  That means that the personal health information of nearly half the US adult population was compromised in some manner by a data breach. If these data breaches were a virus, they would be categorized as a pandemic.

It is estimated that breaches cost the healthcare industry about $5.6 billion annually. As healthcare moves toward a model of connected, coordinated care, the amount of data exchanged between organizations will grow. Hopefully this will incentivize hospitals and other healthcare facilities to make a greater effort to protect medical records and other vulnerable personal health information by encrypting all of their data.  Recent privacy and security laws passed in several states, are mandating that insurance carriers must encrypt personal information. Much more is needed, because  cybercrime problems continue to plague.

Since 2009, nearly 21 million Americans have had their medical records  stolen or lost  The largest single theft was from TRICARE, the Defense Department’s civilian healthcare program for Armed Forces members, retirees, and their dependents. In 2011, 4.9 million TRICARE members’ EMRs on backup tapes in the possession of a subcontractor to the DOD were misplaced and lost. The tapes contained sensitive personal data such as clinical notes, laboratory test results, and prescriptions.

In May 2012, federal prosecutors charged a medical technician at Washington’s Howard University Medical Center with the systematic theft of patients’ personal information, including Medicaid ID numbers. This information was sold to third parties. Shortly after the Howard University theft, the Utah Health Department announced a massive data breach—Eastern European hackers had stolen 280,000 Utah residents’ personal identification, social security numbers, diagnosis information, and medical billing information.

A relatively new and even more frightening cybercrime is hacking into medical devices. Medical devices are considered by hackers to be one of the easiest and most vulnerable points of entry into a health care enterprise, and are one of the most difficult areas to  remediate, even when an attack has been identified. Once hackers have infiltrated a medical device, they can use the device as a permanent base through which to access the hospital’s network and attempt to steal personal data. In fact, medical records can be pulled out of a hospital through these devices.

Hackers today are also using medical devices, such as  insulin pumps and pacemakers, to launch deadly attacks.  In a pilot operation,  a hacker who was hired to test how easy it is to infiltrate a specific brand of infusion pump was able to manipulate the pump’s actions remotely. and dump an entire vial of medication into a patient.

In response to these findings, the FDA issued an advisory opinion urging hospitals to stop using the particular vendor’s infusion pumps. Similar ease of entry tests has further illustrated how easy it is to hack into a medical device.  For example, at the Def Con hacking conference, a hacker demonstrated his ability to remotely hack into a pacemaker and cause it to deliver a dangerous shock.

There are Penalties:  We Need More

A criminal who hacks into another person’s computer could be punished by a number of different crimes. The law punishes hacking under the various computer crime statutes. These crimes carry penalties ranging from a Class B misdemeanor, punishable by up to six months in prison, a fine of up to $1,000, or both; to a Class B felony punishable by up to 20 years in prison, a fine of up to $15,000, or both.

The law also punishes unauthorized access to a computer or computer network, with penalties ranging from a Class B misdemeanor to a Class D felony punishable by up to five years in prison, a fine of up to $5,000, or both. In addition to criminal penalties, the law specifically authorizes someone harmed by a computer or unauthorized use crime to bring a civil lawsuit against the perpetrator. These civil actions are in addition to any other grounds for a civil action that the injured party may have.

Cybercrime continues  because we have ignored it for so long. If we are going to combat this scourge, we need a complete overhaul of the legislation to prosecute cyber criminals and the establishment of special forces within the Federal Justice system armed with the sophisticated tools and strict regulations to fight cybercrime, particularly in healthcare. It will take a strong public policy commitment and the cooperative efforts of the States and the Federal Government to make this happen. If we ignore the problem, we risk lives, business and personal security and the theft of our most valuable personal information.