Hackers Increase the Theft of Healthcare Records
by Robert Bond
Hacked Healthcare Records See Increased Value on the Dark Web
Data breaches have consistently made front page news over the past several years. From the Equifax hack impacting the personal information of 147 million Americans in 2018 back to the Target hack that compromised over 100 million credit cards in 2013. Criminals are consistently compromising the security of large corporations and stealing sensitive payment card and personal data. Last year, however, one thing started to change – a change in focus by attackers from payment card and personal records to a new target; healthcare records. Healthcare records have always been a primary target of criminal hackers, but the increase in price of these records on the black market may be behind a renewed wave of attacks. While an average social security number sells on the dark web for around $15, a single medical record is now selling for $60 or more.
Digital transformation in Healthcare Places Medical Records at Risk
One factor linked to this rise in health hacks is the digitization of health records. These digital records are a treasure trove of information for attackers. Not only do they contain insurance information, which is used for fraudulent billing and prescriptions, but also social security numbers, driver’s licenses and credit card numbers. Many medical providers had operated with paper, faxes, and handwritten charts until Obamacare mandated electronic records; healthcare providers have struggled ever since to secure their new digital records. In 2009, prior to the Affordable Care Act, only 12% of hospitals had transitioned to electronic health records. The ACA’s HITECH provisions provided tens of billions of dollars in incentives for healthcare providers to implement electronic health records; these digital records now are in use by 96% of hospitals across the country. New to the digital market and lagging behind financial, consumer products, and tech sectors, health care providers are in an already competitive market for IT security talent. The results are clear; 113 million individuals were impacted by healthcare-related breaches in 2015, and a recent study by Thales eSecurity found that 70% of global healthcare organizations have suffered a data breach.
Medical Records Mean Cash for Cybercriminals
Medical records are now the top selling personal record on the black market. Research firm Cynerio found that malicious attackers are using these records for delivery of prescription drugs, fraudulent claims to online provider websites, and tax fraud. Researcher James Scott, in a report prepared for the U.S. Senate, found that electronic health records with complete long-form documentation on all the intricacies of a person’s health history, known by hackers as “fullz,” are often combined with fake passports, drivers’ licenses, and social security numbers as an identity kit which often sell for $1,500 to $2,000.
Cybercriminals use these records to buy medical equipment or drugs and file fictional claims with insurers. Health records also contain addresses and employer details, meaning hackers can use them to file fake tax returns. While a stolen credit card number can be easily cancelled and reported to a bank, there is no easy solution for stolen medical records.
Healthcare Hackers – Insider Threat and Advanced Persistent Threats
Large criminal hacking groups are involved as well. Research firm TrapX Security reported recently that an organized group was conducting persistent attacks against large hospitals using backdoors present on blood gas analyzers located in the hospital laboratories. Connected medical devices are often unpatched or unmanaged, and attackers are able to leverage known vulnerabilities in these devices to establish a backdoor into the network.
The allure of a large dataset of health records makes large insurer and hospital networks a top target for advanced persistent threat criminal groups, including a 2014 attack on Community Health Systems that impacted 4.5 million patients and was attributed to an APT group based in China.
Ransomware Hits Healthcare Hard
Over the past year many healthcare organizations were devastated by ransomware attacks. Because of insufficient IT security focus and spending, ransomware attacks have caused widespread damage in the healthcare sector. For example, the WannaCry ransomware campaign alone caused significant incidents around the world including causing 19,000 cancelled operations and appointments in the UK when NHS was attacked. According to a threat report from Cylance, the healthcare industry was the most affected target in last year’s three-fold increase in ransomware attacks. In 2016, Hollywood Presbyterian Medical Center paid $17,000 in ransom after attackers encrypted critical patient information with the Locky ransomware code. In another report, cybersecurity insurance company Beazley suggested that 45% of all ransomware attacks in 2017 were targeted to the healthcare sector. As healthcare organizations continue to invest and mature their cybersecurity programs, ransomware will likely remain a real concern.
Compliance Requirements and Regulatory Oversight
Regulatory oversight from the Department of Health and Human Services has been insufficient to force medical providers to keep patient data secure. However, compliance requirements like the HIPAA HITECH Act and the increasingly large fines that result from a breach are starting to make clear to medical providers the importance of security medical data. In 2016, Advocate Health Care paid $5.5 million for violations of patient privacy law. Their violation stemmed not from criminal hackers, but from 2 breaches involving unencrypted stolen employee laptops and a third breach from a consultant’s unauthorized access to patient records.
The HIPAA Security Rule established administrative, physical, and technical safeguard requirements for electronic Protected Health Information (PHI). The Health Information Technology for Economic and Clinical Health (HITECH) Act expanded protection requirements from medical professionals to subcontractors and other third parties involved in transmission of PHI, and more importantly expanded fines from $25,000 to up to $1.5 million per offense. Under the new HITECH regulation, large organizations are under increasing pressure. After a cyberattack impacting 79 million individuals hit Anthem Inc. in 2015, HHS fined the health insurer $16 million for failing to take basic security steps to protect patient data.
The high financial value of an electronic health record, complete with payment card information, Social Security numbers, and everything needed for a fraudulent health claim or tax return, has made these records a new top target for hackers. The digitization of records over the past decade with insufficient security in-place has led to an increasing number of breached records.
Top threats include both malicious insiders as well as sophisticated criminal groups. While regulatory controls are in-place through HIPAA HITECH and the Department of Health and Human Services, it is unclear if these steep fines and compliance requirements are enough to keep health records secure.