Healthcare organisations are under siege from profit-minded hackers who are utilising common exploits to extract the contents of sensitive databases and sell them for $US20 ($A26) per record or more, according to a new analysis of underground medical-record markets.
Intel Security’s McAfee Labs Health Warning report trawled online dark-web forums to discover thriving trade in healthcare and financial details culled from compromised medical centres, insurance companies, and other healthcare providers in the US.
Stolen medical records were available for sale priced at $US0.03 to $US2.42 per record while financial account records – which were often taken from medical practices with large numbers of patients – were often separated from medical records and sold for $US14 to $US25 per record. Sellers not only advertised their prices and garnered reviews from buyers, the researchers noted, but were bragging about their work on social media.
The net result of such efforts is four and five-figure windfalls for ‘script kiddie’ hackers who leverage commonly available exploits or cybercrime-as-a-service kits to compromise unwitting victim organisations. Others were open about actively recruiting insiders within healthcare organisations to help steal patient information en masse.
“Liquidity trumps longevity in the race to monetise stolen data,” Intel Security CTO for EMEA Raj Samani said in a statement. “If I steal a million credit or debit card numbers, I can quickly sell this digital merchandise before banks and retailers discover the theft and cancel these numbers.”
“Alternatively, a million medical records contain a rich cache of permanent protected health information and personal histories, but such data requires a greater investment of time and resources to exploit and monetise it.”
The growing targeting of healthcare providers reflects a trend that has seen healthcare bodies becoming increasingly technology-dependent. Yet while technology holds great promise in improving healthcare – Gartner research director Laura Craft recently outlined a future scenario in which artificial intelligence based analysis offloads a growing percentage of primary care visits – security vulnerabilities in the healthcare sector remain a real and problematic issue. The security of medical devices, in particular, is coming to the fore as security experts warn of heart implants being hacked to deliver electric shocks and high-level concerns are raised about Internet of Things (IoT) security in the wake of this month’s DDoS-driven major Internet blackout in the US.
Healthcare “is a very problematic sector to secure properly,” says Keith Holtham, emerging technologies lead for ANZ with Check Point Software Technologies, who sat on a healthcare-security panel at the recent AISA national conference.
Many hospitals, he adds, are affiliated and linked with universities that create follow-on effects in terms of proliferation of ‘shadow IT’ that can facilitate exfiltration of sensitive data.
Read more: CSOs consolidating security as users’ “short memory spans” foster ongoing issues: exec
Other attacks – for example, the malware attack that paralysed part of the Royal Melbourne Hospital in January – reflect the healthcare sector’s ongoing vulnerability to conventional ransomware and other malware attacks, occasioned by the large number of staff and often antiquated systems.
“Unsolicited email into healthcare is a fact of life,” Holtham says. “From my work with health bodies in Australia, we are seeing thousands of ransomware attacks into healthcare per day.”
“It’s not so much leakage out as the lack of control,” he continues. “Leakage becomes a funding and organisational issue, but the safeguarding of data access is as important to health organisations now as the prevention of leakage.”
Challenging budgetary constraints continue to put the squeeze on healthcare CISOs despite the proliferation of evidence suggesting that risks to healthcare organisations’ sensitive information are continuing.
“You get so used to accepting that ‘doing more with less’ is an acceptable way to run any part of IT,” Holtham says, “but sometimes you have to more with more – and recognise that judicious expenditure is what is required.”
For additional information view this 2016 HIPAA study, which covers annual trends of compliance and training.