Cloud
10/14/2014
11:00 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Stolen Medical Data Is Now A Hot Commodity

While credit cards are selling for a dollar or less on the black market, personal health credentials are commanding as much as $10 per patient. Here's why.

This last year has been brutal in terms of breaches involving the theft of credit and debit card data. Oh sure, it’s been tough for retailers, but how has it been for criminals? With such a glut of card data on the carder market, the prices are being gutted. How are thieves supposed to turn a profit in light of this oversupply?

Fear not, gentle reader! There is plenty of valuable data out there for an enterprising miscreant to sell to make the payment on his or her beloved BMW. And it looks like they’ll be coming after your medical data next.

You may be skeptical as to why a criminal would care about knowing when you got your cholesterol checked, or what allergy meds you’re taking. For better or worse, this is not the only information that is stored at your doctor’s office. Besides your name, address, and billing information, the files there also have your social security number, birth date, insurance policy number, and diagnosis codes. While this is useful for basic identity theft, it’s also incredibly lucrative for medical fraud. Criminals can use this data to buy drugs or medical equipment, or to file fraudulent insurance claims.

Credit cards can now go for a dollar or less on the black market, but stolen health credentials may sell for as high as $10 per patient. Since most credit card companies have robust fraud detection (and many people know to check their monthly statements for anomalies), thefts are often spotted relatively quickly. This is not yet so for medical data theft, which means criminals may be able to rack up purchases for months or even years before they are detected.

When criminals decide what kind of data to steal, they’re not moving towards health credentials simply because they’re worth a lot of money on the black market. Opportunity is another major factor because health records today are not exactly guarded like Fort Knox. This makes it relatively easy to break into healthcare facilities’ networks. In fact, for both cultural and practical reasons, hospitals and clinics can be some of the easiest organizations to breach.

A caring culture
From a cultural perspective, healthcare practitioners are most concerned with their patients’ physical well-being. While this is great for your health, it may give rise to an erroneous sense of security in practitioners’ false beliefs that criminals would not attack the infrastructure of people trying to help others. Doctors and nurses may also argue against measures meant to increase security if they divert budget from medical equipment and supplies, or if they feel they might slow them down in an emergency. These are valid concerns, but not mutually exclusive.

(Image: By Flickr user MC4 Army [CC-BY-2.0], via Wikimedia Commons)
(Image: By Flickr user MC4 Army [CC-BY-2.0], via Wikimedia Commons)

I say this because security is important to patients and their health too. Identity theft and medical fraud cause a lot of stress, at the very least. And stress, as we all know, is not good for anyone’s health and well-being.

There are other, practical reasons healthcare facilities may be more at risk. Because many medical devices are meant to last for decades rather than the few years between OS updates, there is quite a lot of medical equipment that still uses Windows XP Embedded. This means those machines may be much easier to breach, unless extra measures are taken to protect them. Once an attacker is inside a network, it may be quick work to reach databases holding patients’ data.

You may be thinking that HIPAA regulation should cover all this, and thus cover medical data. But compliance is not the same thing as security. Organizations may follow the letter of the law to avoid paying fines after a breach, regardless of whether they actually protect assets.

In fact, there has been an increase in medical data breaches. According to the Identity Theft Resource Center, in 2013, 43.8% of breaches were in the health and medical sector versus 34.9% in 2012. According to the Privacy Rights Clearinghouse, this number reached 45% of the total in 2013. While the business sector still represents the largest number of records lost (largely due to mega breaches such as the Target breach), it makes up a significantly smaller percentage of general organizations breached.

It’s always still a good idea to maintain good security on credit and debit cards, but it’s also a good time to become more security-aware of our medical data too. How secure are your medical records and what -- if any -- steps can InfoSec pros take as individuals to keep them out of the hands of criminals? Share your thoughts in the comments.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
worldmoneylive
50%
50%
worldmoneylive,
User Rank: Apprentice
9/10/2015 | 12:52:58 PM
commodity market
U.S. labor market strengthening; imported inflation weak 
TubeLugs
50%
50%
TubeLugs,
User Rank: Apprentice
12/2/2014 | 10:21:25 PM
Balderdash
"We can't expect health care practitioners to be responsible for ensuring patients information is protected"

 

This statement is both false and dangerous. We expect bankers to perform their primary business function AND keep our PII safe. We expect retail establishments to run their business AND protect our data. Why should we expect less from a medical chain or office?


HCPs are the front line in collecting health data. OF COURSE we should expect them to ensure it is protected. If they are not held as part of the responsibility chain, they will do nothing to improve the horrid state of data security in medical practices.


 

Andrew Clyne

 

<[email protected]>
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
10/15/2014 | 9:58:30 AM
Re: The fun part
Ideally, these HIT systems should increase practitioneers' productivity, and free them from the drudgery of records management. But the learning curve is steep and frustrating. And the ROI doesn't happen quick enough, at least from the healthcare employee perspective. 
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
10/14/2014 | 4:06:11 PM
Re: The fun part
Sadly I think everyone still struggles with how do we properly share information between agencies (healthcare, insurance etc) and at the same time ensure that it is properly protected through technologies such as encryption etc. We can't expect health care practitioners to be responsible for ensuring patients information is protected (their jobs are obviously to focus on providing patient care), so we really need to better enforce controls for security teams involved with these agencies. The downside is that often there is lack of awareness and budget to properly protect these resources. There has to be a better way to create these systems moving forward.
ni@root
Data Exposures and Butthurt
I spend a lot of time looking for sensitive data. I have found close to 40 different exposures over the last month or so. One thing I find is that some organizations get upset when one of the good members of the security community find something and report it to them. They use terms such as "illegally accessed" or "stole records" when in each case the access was 100% legal. They just happen to not be as competent in protecting their data as they should be.

Yesterday I set out to find another exposure and in less than an hour found medical records with full SSN. Possible 90k plus records exposed at one time or another. After the initial investigation on my part I will inform this company of the exposure (not breach) and cross fingers they won't get upset. This attitude needs to change.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/14/2014 | 2:41:14 PM
Re: The fun part
Several years ago a family member of mine requested a copy of a discharge report after a hospital stay and the report she received was someone else's health record. I would hope that those kinds of mistakes don't happen so much anymore. Am I being naive? 
lynnbr2
50%
50%
lynnbr2,
User Rank: Strategist
10/14/2014 | 1:41:46 PM
The fun part
of this is that once something gets "posted" to your medical history, there is neither a mechanism to protest it nor to have it removed. It stays with you. And the major insurance companies have access to all of this to determine your rates, and even eligibilty, for various health and life insurance products.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.