Record breakers: cyber criminals seek a taste of our medicine
As medical records go digital, hospitals and healthcare institutions are now tasked with protecting and guarding their patient’s data from cyber criminals who have spotted an opportunity to profit from the information.
Ease of access
Medical records are increasingly stored electronically. In the age of paper records, a criminal wishing to steal medical records on a relatively large scale would have to physically access a healthcare facility and make off with a filing cabinet of medical records. Fast forward to 2017, and the same information could fit onto a small USB drive. It could also be hacked remotely through a vulnerable network.
There are increasing reports of cyber criminals stealing medical records on a large scale. Cyber criminals are not merely stealing medical records of a few hundred patients. Rather, they are stealing whole databases (often involving many thousands of patient medical records) from healthcare facilities and health insurers. Such databases are then offered for sale on black markets and the dark web.
These databases sell for a high price. A database comprising of 34,000 medical records stolen from a New York hospital was reportedly on sale for 30 Bitcoins (around US$19,000), Whilst another stolen database involving 690,000 medical records is reportedly selling for 643 Bitcoins (around US$411,000) – advertised on the dark web.
Surely, your visit to your GP about a spate of migraines or a troublesome tennis elbow is of no concern to people you have never met, let alone a cyber criminal who might be operating from another country. The reason for the interest is medical records are highly valuable to cyber criminals which are easily monetised as tradable goods on the black market.
Medical records often contain valuable personal identifiable information, including names, addresses, email addresses, phone numbers, gender and age. Such information from stolen medical records is sold on online black markets and to organised cybercrime syndicates where they can fetch a high price. This price is often up to 10-20 times more than the price of a stolen credit card, and in the region of on average US$82 per record. The more valuable the personal information contained on a medical record the higher the value it attracts.
A stolen medical record which contains the work and personal email address of the patient can be sold on certain online underworld networks for as much as US$200 a record. The reason why medical records are more valuable than a stolen credit card number is because a stolen credit card is easily cancelled, but the information from a medical record can be used repeatedly; which makes a medical record so much more valuable.
Catch me if you can
What can be done with a medical record once it is sold on the black market?
Organised cybercrime syndicates use the data from stolen medical records to commit fraud and identity theft. The personal identification information is used to apply for loans or credit cards, open bank accounts, make online transactions and conduct other illegal activities without the victim’s consent and knowledge.
Records containing email addresses can be used to deliver malware through phishing and spam attacks to a person whose medical record has been stolen. If cyber criminals have a chance of hacking a user, they need email addresses to send their malware to. A medical database that contains thousands of email addresses of patients is worth a pot of gold to a cyber criminal, as it increases their attack surface. Better still, if those records contain the work email addresses of patients, cyber criminals can use that email address as a gateway to try to breach a company’s network and deliver malware.
The stolen data can be used for blackmail to extort money from a person whose reputation might be affected by the publication of their medical records.
Increasingly, cyber criminals are seeking to extort money from healthcare facilities and medical practices by threatening to publicly leak patient medical records that they have stolen. Samples of the stolen data that is threatened to be published are often disclosed to the entity that has been hacked. Such a threat is also sometimes accompanied by the threat that they will also publicly disclose the vulnerability in the entity’s IT system that allowed it to be hacked.
Assessing the breach
For healthcare organisations, the repercussions of a data breach are serious. In addition to the loss of reputation and patient trust, they risk incurring significant losses from:
- Expenses related to the costs of IT and forensic investigators to prevent a further breach.
- Fines that might be levied under the Data Protection Act 1998
- Costs associated with providing affected patients with reparational support such as identity theft protection and credit monitoring services.
- Damages payable to affected patients who have suffered breach of their personal data.
Digital medical records provide lucrative opportunities for cyber criminals.
As medical records have gone digital, cyber criminals have spotted an opportunity to steal and profit. The data contained in healthcare records can be used in a number of different ways and we can only expect that cyber criminals will find new and novel ways to further abuse and exploit the data they have stolen in medical records.
For hospitals and other healthcare institutions, this means that not only will they, on a daily basis, be tasked with saving patient’s lives but also protecting and guarding their patient’s data. The data protection aspect has become even more pertinent due to the prospect of increased fines under the new EU General Data Protection Regulations (GDPR) which are set to replace current UK Data Protection Act 1998 laws from 28 May 2018. Non-compliance with the GDPR will attract heavy fines of up to 4% of a company’s global turnover or €20 million; whichever is higher.