It’s a sellers’ market for personally identifiable data on the “dark web,” where stolen information is anonymously bought and sold. Like all savvy businesspeople, hackers go where the money is; right now the hottest selling commodity is medical record data—going for as much as $60 per record.
To put that in context, in its heyday, a single set of credit or debit card data could fetch anywhere from $20 to $125. But the market for card data has taken a nosedive. You can pick up a set for as low as $1 each—or $.22 for data sold in bundles.
The high prices cyberthieves charge are not arbitrary. Sophisticated cybercriminals conduct “their own market research on where they can find the data that’s most valuable in the criminal underground and they develop their attacks accordingly,” said Ed Cabrera, vice president of cybersecurity strategy at Trend Micro.[ii]
Theft is so rampant that most people don’t even realize their PHI is on the underground market—until it’s too late.
Cyberthieves Shift Focus
Credit card data was once the most sought-after by cybercriminals. They could max out the cards before anyone realized they were missing. But, they lost their appeal when credit card companies beefed up their cybersecurity tactics, including chip technology.
What’s more, as we’ve all shifted more of our lives online, cyberthieves have shifted their focus to newly available forms of available electronic personal data, like medical records. Unlike the financial sector that implemented information technology gradually over the course of many years, health care went digital overnight when the government allocated billions of dollars to promote adoption of electronic health care records.[iii]
“With the digitization of the electronic medical records, these things are much easier to steal in bulk,” said Ben Feinstein, director of operations and development with the Dell SecureWorks Counter Threat Unit. Not only is healthcare information security decades behind the financial community, but also medical identity theft is usually not quickly identified by the patient or provider “giving criminals years to milk such credentials” according to Reuters.[iv]
Essentially, hackers are simply following the momentum of growth of digital commerce—as well as the money.
The Medical Record Gold Mine
The reasons that health care records are a “gold mine” is because criminals can use the records in a wide variety of ways—such as filing false medical claims, ordering prescriptions, paying for treatments and surgery, and even filing false tax returns. The sensitive data in electronic medical records is all identity thieves need to take out loans, get passports or make fraudulent tax returns, security experts say.
According to the HHS-OCR “Wall of Shame” of data breaches > 500 records[v], 112 million health records were reported as breached in 2015 due to hacking including Anthem (79 million), Premera (11 million) and Excellus (10 million). Another 2.2 million records have been reported as breached due to hacking through February 2016. A quick look at the breach report substantiates that no health care organization, regardless of size, is immune to a data breach.
The new hacking technique of ransomware saves the hackers from the exposure of a 3rd party sale of the information, by making the information unavailable to the health care providers or payers until ransom payment is received. The unavailability of patient information is a huge patient safety issue. Because there is no evidence that the ransomed information has actually been ‘breached’, such hacks are not required to be reported to HHS so details of the methods is limited.
Making matters worse, unlike credit cards, which can be quickly canceled, health care information lives forever.
Prepare to be in Hackers’ Crosshairs
The message should be clear to virtually any organization dealing with medical information today: You are in the hackers’ crosshairs.
The Ponemon’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data[vi] reports that 59 percent of healthcare organizations and 60 percent of BAs don’t think their organization’s security budget is sufficient to curtail or minimize data breaches.
Other key findings include:
- 89 percent of health care organizations and 60 percent of their business associates experienced at least on data breach during the last two years, while 79 percent experienced two or more;
- 34 percent experienced two to five breaches and 45 percent had more than five.
- 38 percent of healthcare organizations and 26 percent of BAs are aware of medical identity theft cases affecting their own patients and customers.
Taking Proactive Action Against Hackers
To combat this growing threat, health care organizations and their service providers need to enhance their information security around personal data.
Before taking on a Whack-A-Mole approach to protecting the data, stand back and examine your Information Risk Management Program. Conduct a risk analysis, identify your high-risk vulnerabilities and make informed decisions on risk response plans. Following an established framework for a risk assessment, such as the National Institute of Standards and Technology framework recommended by HHS, gives organizations considerable advantages—including a proven foundation from which to effectively fight the ever-evolving cybersecurity war.
 “Hacking of Health Care Records Skyrockets” InfoSec Institute; http://www.nbcnews.com/news/us-news/hacking-health-care-records-skyrockets-n517686
[ii] Following the Data” Dissecting Data Breaches and Debunking Myths; http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-follow-the-data.pdf
[iv] “Your medical record is worth more to hackers than your credit card”; http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924
[vi] Criminals continue to target healthcare data – Ponemon study finds; https://www2.idexpertscorp.com/sixth-annual-ponemon-benchmark-study-on-privacy-security-of-healthcare-data-incidents
Contact us today for more information about how we help organizations to build and improve their cybersecurity and information risk management programs.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.