Threat Assessment & Initial Recommendations: Adversarial Military Use of Hacked Medical Records

At the Wall Street Journal, Christopher Porter and Brian Finch opined in “What Does Beijing Want With Your Medical Records?” that China’s 2015 Anthem hack accessed almost 80 million Americans’ private medical and insurance records as an ominous sign that it plans to expand and impose its massive surveillance state on Americans. Porter and Finch focus on the potential for China to utilize multiple mass data sets on Americans to assert control and call for Washington to “push back hard against any Chinese effort to extend its surveillance state into North America.” Agreed.

Unmentioned, however, are adversaries’ research and development of potential military applications for possession of mass medical records, for example, the gathering of information on medical vulnerabilities of strategic and tactical leadership, military, intelligence, national security, and infrastructure personnel or their families.

Given China’s intensive pursuit of CRISPR gene editing, long experience in the use of poisons, and hacking advances, a military use of mass medical data could be to probe genetic, drug, and medical device specifics for US targets to find features enabling a range of malign uses.

Malign uses of such medical information may include proxy insinuation and leveraging by direct threats to personnel or loved ones through disclosure of intimate knowledge of their medical conditions or vulnerabilities (PSYOP); engineering microbes targeting individuals’ DNA and/or agents exploiting their specific vulnerabilities inside or outside the context of their duties; hacking into connected medical implants such as pacemakers, insulin dosing devices, oxygen machines, and more; hacking into provider pharmacies systems for reading and fulfilling high value targets’ prescriptions for prescription tampering in house or after the fact via substitution; and even knowing where to hack to surveil their medical appointment schedules so as to know where and when they will be, and that, in a medical context.

As unsettling as this is, the good news is that awareness for potentially affected US personnel and agencies is the first step in hardening them against the abuse of such information. However, discussion of such concerns individually with health care providers by such personnel could create awkward misunderstandings from the perspective of providers not savvy to, and relatedly, less capable of believing that adversaries could or would be so cynical, vindictive, or intrusive. Such awareness building should not be put on individual personnel, but be communicated at a high level to the medical institutions, insurers, pharmacies, device manufacturers, and medicine delivery systems in question, and be disseminated through the ranks of those entities while a thorough internal security approach has been prepared to identify and prevent anomalous or intrusive events.

From an overall diplomatic and policy perspective, without compromising countermeasures, efforts at achieving deterrent policies and negotiated balances of power against adversarial usage of medical information for destabilizing and war-inciting decapitation operations warrants swift and serious communications with our adversaries.