Patient data is virtual gold mine for cybercrooks

Robert Lord, BridgeTower Media Newswires

The health care industry is under siege. Data breaches of patient information have become all too common, with both external and insider threats trying to gain access to patients’ electronic health records (EHRs), and it does not appear that the number of attacks will ease up anytime soon.

But this begs the question: Why are EHRs so vulnerable to attack? And why do criminals target them in the first place?

We are going to dive into the world of EHRs and examine what makes them so vulnerable and so valuable and examine how EHRs need to be easily and widely accessible, how healthcare organizations have fallen behind when it comes to EHR security, and how criminals have created sophisticated attacks in order to steal EHR data and sell them for profit.

A black hole

One of the main reasons that patient information is so difficult to protect is that, within a health care organization, the EHR must be easily accessed and widely available, especially in the case of emergencies. In order to make records easily accessible, employees use many different systems and devices – including computers and mobile devices – to access the EHR. Moreover, third-party vendors, such as equipment and drug suppliers, as well as insurance companies often have, at minimum, limited access to patient information.

This also means that it is much more difficult to secure sensitive patient information because criminals have so many access points that they can exploit to gain access to this plethora of information.

Government mandates, including the Affordable Care Act, compelled health care organizations to adopt electronic health records, even when those organizations did not have the resources to provide sufficient security for them. Unfortunately, this has left many EHR systems vulnerable to criminal attacks, which has become a consistent easy target.

Criminal infiltration

This problem is further compounded by the fact that health care organizations have lagged behind in putting proper security measures in place, leaving the EHR vulnerable to both insider and external threats. A KPMG study estimated that health care organizations can spend as little as one-tenth what other industries spend on security. Thus, health care organizations are simply not prepared for the sophisticated threats that criminals are launching.

For instance, many health care organizations do not encrypt patient data, either when it is at rest or in transit, meaning that when the EHR are breached, criminals have direct and immediate access to the information. Similarly, many organizations do not have a privacy analytics platform in place to monitor the EHR for insider threats, such as hospital employees who access patient data without authorization or criminals who use stolen credentials to compromise patient information.

Tip of the iceberg


Ransomware attacks are a good example of the level of sophistication that cyber criminals are using against healthcare organizations. In a ransomware attack, the criminal holds the EHR for ransom by hacking into the system and encrypting the information in order to prevent an organization from accessing it. The criminal will then demand a ransom – usually in untraceable bitcoin – in exchange for the decryption key.

Health care organizations are particularly vulnerable to this type of attack due to the sheer necessity of this information — without it, lives could be in jeopardy. It should come as no surprise that ransomware attacks are becoming more common and more deadly, with 88 percent of all ransomware attacks targeting health care organizations.

Hollywood Presbyterian Medical Center experienced the effects of a ransomware attack firsthand in March 2016, when criminals prevented the medical center from accessing its EHR for an entire week until the hospital paid the hackers $17,000. However, some criminals are adding an additional layer of complexity to their ransomware attacks by using such attacks as a diversion. When a ransomware attack occurs, law enforcement and security officials often focus solely on dealing with the ransomware itself, leaving the rest of the system vulnerable which allows criminals to access patient records and secretly exfiltrate them.

Even if a hospital has backups of its patient data and is able to restore it or if it simply pays the ransom to get the records back, it has no way of knowing how many records were exfiltrated while the criminals held the information for ransom.

Real victims


If health care organizations continue to delay putting proper security measures in place to protect their EHRs, they will find themselves in the headlines for all the wrong reasons. On the other hand, if organizations get serious about patient privacy, they will require a robust security system to protect their EHR system from a variety of threats from internal and external sources.

When an organization fails to implement these measures, it is often the patients who pay the price.    Victims can easily spend thousands of dollars and hundreds of hours simply trying to put their life back together.

It’s imperative for health care organizations to become proactive in monitoring and protecting their patient data, the sooner a breach is discovered the sooner organizations can mitigate the risk of catastrophic damage being done to their reputation but more importantly to their patients’ lives.

It is no secret that electronic health records are incredibly valuable. One needs to only look at the number of cyberattacks that target healthcare organizations as proof that those records contain extremely valuable patient information.

In the first installment of our two-part series, we explored what makes EHRs so vulnerable to criminals attacking them. Now, we are going to take a closer look at what happens after a health care data breach – not from the perspective of a hospital or healthcare organization, but from the perspective of the criminals and their victims. We will examine how longevity and versatility make EHRs so valuable to criminals and how this can ultimately cost the victims thousands of dollars and hundreds of hours of their time.

A long-term asset

One of the reasons electronic health records are so valuable to criminals is that this information contains a complete “ID kit,” everything they need to steal your identity and perform an array of fraudulent crimes. Someone who has had their credit card or bank information stolen can simply cancel the card or dispute the fraudulent charges. On the other hand, when someone has their medical information stolen, they face much more difficult challenges due to the amount of sensitive information encase in medical records that cannot be changed — diagnoses, employment history, financial information, and even sensitive family information.

Furthermore, medical identity fraud is harder to detect than credit card fraud. Often, the only way for patients to know that they have been a victim of medical identity fraud is if they hear directly from their providers or if they notice suspicious debts during a credit check. This lag in notification or discovery allows criminals more time to abuse the information, selling it repeatedly on the Dark Web and making a profit at the victim’s expense.

Seven illegal activities

Nevertheless, criminals do not only target EHRs because the information is long-lasting; they also target it because it can be used for a wide variety of illegal activities. For example, criminals can use medical information to:

• Sell patient info repeatedly on the black market, using the profits to fund other activities;

• Obtain expensive medical equipment, prescriptions, or procedures;

• Commit tax fraud;

• Expose or blackmail specific individuals, such as politicians or celebrities;

• Receive medical care;

• Undergo surgery;

• Purchase or sell prescription or controlled drugs.

Many of these uses are not mutually exclusive, so a criminal can exploit the information to buy medical equipment and then turn around and sell it to someone trying to obtain prescription drugs, compounding the profits that the criminal can make after stealing a patient’s EHR.

A valuable asset

Of course, because it is so long-lasting and versatile, medical information is much more valuable than other types of information. For example, a person’s EHR is worth 10 times more than financial information, such as a credit card number. Criminals often sell stolen EHRs in different packages, such as a “fullz” or a “kitz.”

A fullz is a packet that includes a person’s name, date of birth, contract or group number, type of insurance plan, deductible, and co-pay information. It can also include the victim’s Social Security number, addresses, phone numbers, email addresses and passwords, bank account information, online banking credentials, and credit card information.

Similarly, a kitz is a fullz dossier that also includes counterfeits of the victim’s physical documents, such as an insurance card, Social Security card, driver’s license, and credit card. Fullz packets cost approximately $500 when sold illegally on the Deep Web, whereas kitz can run as much as $1,200.

In a time when the value of stolen a credit card number averages less than $20 on the Deep Web, it is easy to see why criminals have begun targeting people’s medical information more and more, especially because  EHRs are so vulnerable to attack.
The real cost

And all this will disproportionately affect the patient. Health care organizations will end up spending a significant amount in the wake of a data breach, but these costs will be relatively short-term compared to the long-term price victim’s will pay if their medical information is stolen. Indeed, victims can expect to pay approximately $13,500 in legal fees and fraudulent charges, and they can spend up to 200 hours trying to deal with the matter. This is due in large part to the fact that there are no set requirements a health care organization or even the government must meet to help victims of medical identity fraud after their EHRs are compromised.

So often, patients are lost in the bigger picture as health care organizations cut budgets to save money. But the stakes of not investing in proper security measures are high because electronic health records represent more than just data; they contain personal and sensitive information that, if stolen, can have a drastic effect on patients, as criminals sell their information repeatedly on the Deep Web, profiting from it for years and years – long after a health care organization has recovered from the breach.

—————

Robert Lord is co-founder and CEO of Protenus and a fellow with the Institute for Critical Infrastructure Technology.