Why Health Data Have Become Black-Market Favorites
By Jon Senger
In a published alert sent out to the health care sector, the FBI warned of increased risk of cyber intrusions against systems and medical devices. The alert refers to the ongoing shift to EHRs as a result of the HITECH Act, coupled with the fact that more medical devices are now being connected to the Internet. Unfortunately, these attacks aren't likely to slow down as cyber criminals have identified the health care sector as a new honey pot, and they are continuing to focus their efforts on the lucrative data residing within patient health records.
It seems every day we wake up and another health care company discovers a data breach. Even before the shock wears off, another 1,000 or 10,000 medical records are being stolen. We seem to be lost in a "lather, rinse, repeat" cycle of hacking.
The reason? Medical records are now creating a higher financial payout on the black market, where cyber criminals are selling the information at a rate of around $50 for each partial EHR. Compare that with a single dollar received for a stolen Social Security number or credit card number, and you'll understand why this problem is escalating.
The FBI also states that according to open source reporting from SANS, Ponemon, and EMC²/RSA, the health care industry is not technically prepared to combat against cyber criminals' basic cyber intrusion tactics, techniques, and procedures, much less against more advanced persistent threats. The health care industry is not, according to the alert, "as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."
Indeed, cyber thieves will continue to increase their attacks and intrusions against health care systems—including medical devices—because of a mandatory transition by the federal government from paper to EHRs. Prior to this act, if a thief wanted to steal 50,000 medical records from a single hospital, it would have taken a Herculean effort. Imagine the difficulty of walking into a health care facility, gaining access into a more than likely locked file room, loading up multiple moving carts with stacks of folders and files, and then wheeling those data out the front door past hospital employees, patients, and security guards, only to then load them up stack by stack into the back of a truck without anyone raising an eyebrow.
Fast forward to today: If that same person can gain entry into a single computer system featuring protected health information (PHI), they can steal those files just as fast as they can download the data to their local computer or send it to another computer hundreds or thousands of miles away. They don't even need to be in the same country, let alone state or region to do it. And all too often, they aren't.
Cyber thieves wouldn't be doing this if it weren't a lucrative business. Yes, business, because that's how they are treating these stolen data. If you go online, it's like buying an item from your favorite e-commerce store. You put the stolen data in your shopping cart, and then check out. And believe it or not, many of these sites have a rating system, a comments section, and oftentimes a better customer support system than most legitimate shopping sites.
Beyond the exponential increase in payout, there are other reasons why PHI and EHR data are quickly becoming a cybercriminal's favorite target. Consider the following:
1. Medical records typically include multiple data points—names, birth dates, Social Security numbers, medical policy numbers and billing information—all of which can be used for an equally exhaustive list of profitable activities.
2. With this collective information, thieves can advance identity theft and open multiple credit lines or create fake IDs.
3. The information gathered also could be used to file fraudulent insurance claims and obtain prescription medications that can be resold for a profit.
4. EHR theft is also more difficult to detect. Unlike credit card fraud, which usually shows up within days (if not hours) and is quickly shut down, medical data theft can go undetected for months or even years.
5. Financial data also has a finite lifespan because it becomes worthless the second the fraud is detected and the card or account is canceled and reissued. Health care records have a much longer shelf life because Social Security numbers can't easily be canceled, and medical and prescription records are permanent.
Clearly, health care records are an ideal target for cyber criminals. And most health care providers are simply not prepared for this type of 2.0 bad guy they are now facing in the digital age. Keeping these data thieves at bay takes continuous monitoring, a modern IT infrastructure, and multiple layers of security, all of which require people and technology resources most health care organizations don't have.
Rather than creating and managing their own environment to protect such a highly regulated and highly targeted resource, health care organizations should look to a managed service provider that is more capable of preventing data theft and has the right software tools, people, and infrastructure to do the job. New technologies such as workplace-as-a-service solutions built specifically for the health care market are making it easier for managed service providers to enhance the security of their health care clients' EHR and PHI while complying with HIPAA.
Let health care focus on the patient, and let managed service providers focus on securing the data.
— Jon Senger is an HIT and security advisor to MSPs and chief technology officer of Vertiscale, a developer of workspace-as-a-service technology for the health care market.