2016 was a record year for healthcare associated data breaches. The shear number of affected patient records is astounding, a total of 15 million patient records from 355 different breaches. And this trend is likely to continue. Records are valuable targets, containing a wealth of personal information, including billing details, birth dates and social security numbers. And the sources for profiting from these thefts are numerous. Records can be held for ransom, sold to the highest bidder on the dark web, or even both.
CSO elaborates:
Flashpoint’s Director of Research Vitali Kremez said healthcare records have historically been a key economic driver of the Dark Web economy for many years due to the fact that they are such a rich source of very specific and in some cases immutable personal information that can be used to initiate many types of fraud from insurance, to identity and tax fraud. These types of fraud cost taxpayers billions of dollars annually according to the FTC.
“So much so was the glut that extensive Flashpoint Dark Web research saw fullz (full packages of personally identifiable information) actually commoditizing and the value of individual fullz decreasing. While Flashpoint has observed actors offering medical data for a bulk price of $7 per record, the industry standard for the value of an individual record is now at $0.50-$1” Kremez said.
He said information like birthdates, Social Security numbers and driver’s license information are used to fill out, submit and validate any number of fraudulent accounts or transactions such as income tax filing, financial aid applications or insurance claims. Marital status or emergency contact and employment information can also be used to guess security validation or password reset questions. And email addresses or phone numbers can be used to evade anti-fraud mechanisms such as PIN systems or multifactor authentication.
“The healthcare sector remains a highly targeted industry as it offers rich, bundled resources of financial, personal, and medical information that can be exploited and often sold within the Deep and Dark Web (DDW).”
Social Engineering: a Serious Threat
Social engineering remains a particularly potent threat. The small practice mentioned in the article was compromised via this method. An employee received an email, and then downloaded an attached file containing malicious code. This subsequently led to the employee’s computer being locked via ransomware, and allowed access to databases containing patient information.
Smaller practices often have trouble envisioning themselves as targets, holding to the idea that there are “larger fish in the sea.” However, this attitude is incorrect. Every practice needs to think about protecting sensitive information.
“The healthcare sector remains a highly targeted industry as it offers rich, bundled resources of financial, personal, and medical information that can be exploited and often sold within the Deep and Dark Web (DDW).”
All companies with a compliance obligation must remember that the point of compliance is to impose a certain level of security. Compliance comes as a result of having a good security program. Thus, being compliant does not mean you are secure, Copolitco wrote in its report. There are many things that could still result in a compromise such as an employee accidentally leaking a passphrase by getting his computer infected with malware or a bug in a web application exposed directly to the internet.
“When thinking about risk, risk analysis and mitigation as it relates to HIPAA compliance, business owners often wonder why they have to worry about security”, said Tracy Reed. Often, their attitude is, “Who would want to harm us? We are small and have nothing that would be useful or of value to anyone else.” She said aside from the threat of federal enforcement action via civil and criminal penalties, healthcare data is often valued for unexpected reasons, including extortion, reputational damage, competitive advantage and more.
Both compliance and security are ongoing efforts. There are always new vulnerabilities discovered, new versions of software coming out, and advances in the state of the art in terms of attacking and defending.
That is the reason a risk assessment is so important. An up-to-date risk assessment can help healthcare practices of all sizes understand and implement best security practices. You don’t want to be standing there wondering where you went wrong, as your patient records are traded in internet back-alleys.
Read more of this article at CSO.
