Healthcare Data: Everything Has a Price; Everything Has Value

Unsurprisingly, the healthcare sector continues to be an attractive target as data stolen continues to provide value to a diverse threat actor set.  Indeed, criminals and those actors associated with traditional cyber espionage activities have conducted some of the more news garnering incidents over the past few years.  What’s more, depending on the actors’ intent, all types of information have been sought after and stolen by these groups and individuals to include financial and insurance-related information, personal identifiable information, and even the health records of patients.  The targeting of these different types of data should demonstrate to the healthcare industry that there is no seemingly benign data when it comes to healthcare and that strategies must be designed to safeguard any and all types of data that relate to patients and their care treatments.

Personal identifiable information (PII) has always been a valued commodity among cyber criminals and the cyber underground is rife with member-only forums that put a rather inexpensive price tag on PII.  A recent news article reports that identities in packages of up to 100 could cost as little as 25 cents apiece in a marketplace like AlphaBay.  Such packages include names, addresses, Social Security numbers, date of birth, and relevant bank account information.  However, what has been emerging for the past couple of years is how healthcare related PII is being valued more than just standard PII.  According to one source, medical information is worth 10 times more than your credit card number on the black market, and includes diagnosis codes and policy numbers, in addition to standard PII.

A recent June 2016 attack continues to demonstrate how cyber thieves continue to be innovative in their approaches to harvest healthcare-related information for profit.  In one particular instance, four U.S. healthcare organizations were successfully exploited by a hostile actor who stole a substantial amount of patient data that included MRI results, X-rays, treatment notes, and patient-specific biometrics.  Regardless if the actor had a predetermined goal for stealing this information, it is evident that any and all information is of value to someone as long as they are willing to pay a price for it.

This immediately leads to the question of how could patient-specific data such as MRI results, biometrics, and X-ray images benefit another party?  Some believe that such theft is more hype than actual substance, as they believe that stealing someone’s DNA is not particularly useful if you can’t use it.  However, there is contradictory opinion that says that the theft of such information can actually be helpful depending on how it is to be used.  Take for example the 2015 Anthem breach in which suspected Chinese espionage hackers targeted these organizations and compromised as many as 80 million customers, many of which were employees of the U.S. federal government.  It has never surfaced that this information was massed monetized in the criminal underground (although to be fair, that may still occur; immediate theft of databases do not have to be monetized right away) leading many to hypothesize that the efforts of actors typically involved in espionage activities must mean that this information has an intelligence value.  Their reasoning is that the information aggregated from the 2015 Office of Personnel Management breach and the Anthem breach could be used to identify U.S. spies and undercover operatives.

Furthermore, researchers continue to demonstrate that as cyber security may embrace and adopt more biometrics-based applications, the more hackers can shift their energies toward exploiting them to continue to beat security practices by compromising biometrics-related information.  This has led many researchers to conclude that biometrics may be easier to exploit than passwords, largely because biometrics such as fingerprints were never designed to be secret.    Many researchers have beat Apple’s TouchID technology by creating fake fingerprints via a variety of methods.  Researchers have even demonstrated the ability to beat facial recognition software.  At one security conference, one attack successfully spoofed four of the five systems they tried, largely harvesting photos from social media and online sources.

The takeaway from this is that the healthcare industry may be the top target for both cyber criminals as well as cyber espionage actors because the very information that they possess can be used in many ways.  Even just access to this information is at a premium, judging from the multiple ransomware attacks that targeted healthcare in the first half of 2016.  While some U.S. hospitals have incurred fines by the U.S. Department of Healthcare and Human Services for their cyber security compliance failures with respect to protecting healthcare information, this is too little too late.  Healthcare-related organizations need to understand that they are a prime target for all types of attackers that continually demonstrate innovative and cunning ways to steal the information they want.

Even after the negative attention garnered from large data breaches, and the Health Insurance Portability and Accountability Act’s continued efforts in evolving security guidelines for the industry, some healthcare organizations continue to operate in a security vacuum.  One recent survey found that approximately 32 percent of hospitals and 52 percent of non-acute providers – such as outpatient clinics, rehabilitation facilities and physicians’ offices – are not encrypting data in transit, and only 61 percent of acute providers and 48 percent of non-acute providers are encrypting data at rest.  This type of security approach must change.

The healthcare industry as a whole needs to be more proactive in designing risk management strategies and incident response plans to quickly identify, mitigate, and remediate hostile cyber activities against their networks.  Trying to play catch up against a dynamic threat is a no-win situation; and no matter how steep the fines are after the fact, will not assuage concerns that the institutions on which at patients rely to protect their most private information, have failed them.

This is a guest post written by Emilio Iasiello.