• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

TekSec

My Scribbles on security and whatever strikes my fancy . . .

  • Home
  • About
    • Privacy Policy
    • DISCLAIMER
  • Services
    • Content Strategy
    • Social Media
    • Digital Audit
  • Show Search
Hide Search

Healthcare hackers & their dirty little secrets

August 19, 2015 By teksquisite Leave a Comment

hackers and medical data

In the world of cybersecurity, the healthcare industry is under siege. A Google search for ” healthcare breach ” now yields about 28,000,000 results , where a Google news search returns 100,000 news articles. Stolen healthcare insurance credentials are like a significant other to a hacker and may reveal things we would prefer to keep private and hidden. In 2015, healthcare data breach victims appear to be adrift with little or no protection or navigation.

“The risk for ongoing data exfiltration, theft and subsequent HIPAA (Health Insurance Portability and Accountability Act) violations has never been higher.” -Moshe Ben-Simon, Electronic Health Reporter

Statistics

The 2015 Ponemon Institute Benchmark Study on Privacy and Security of Healthcare Data1 stated that data breaches could be costing the healthcare industry approximately $6 billion dollars. More than 90 percent of the respondents surveyed lost data, and 40 percent had more than five data breaches within a two year period. Compared to five years ago, criminal attacks on healthcare organizations are up a whopping 125 percent and are now the leading cause of data breaches. Unfortunately, only 40 percent of the organizations surveyed  were concerned about cyber attacks.

Wall of Shame

Since 2009, the Health and Human Services (HHS) Office for Civil Rights (OCR) has published all data breaches that involve 500 individuals or more online at The U.S. Department of Health and Human Services Breach Portal . This section of the HHS website is known to the healthcare industry as the infamous “Wall of Shame.”

HHS definitions 2

  • Health plan: Any individual or group plan (or combination) that provides, or pays for the cost, of medical care.
  • Health provider: Any person or organization that is paid for health care in the normal course of business.

I performed a filtered query using the advanced search feature for unsecured protected health information (PHI) for a 2 year period:

The Health Plan category returned 80 records of which 13 records affected more than 50,000 individuals with the primary location of the hacked data on network servers and hacking/it incidents as the most popular mode of entry into the network. One server was stolen.

The Healthcare Provider category returned 364 records of which 17 records affected more than 50,000 individuals. Network servers, desktop computers, other portable electronic devices, and paper/films with the top 3 modes of entry via hacking/IT incident, unauthorized access/disclosure, and theft.

cybersecurity breach portal

Marketing Techniques

Two years ago Dell Secureworks reported that underground marketplaces were selling individual healthcare insurance credentials for $20 each that included “names (more than one for spouse & family coverage), date(s) of birth, contract number, group number, type of plan (Individual/Group, HMO/PPO, deductible and copay information), and insurer contact information for customer service and filing claims.”

With all of the paranoia going on in the marketplace since the Silk Road bust, hackers have become more insidious and secretive with their marketing techniques and the sale of stolen healthcare data. Seasoned hackers conduct sales behind closed doors via private encrypted messages or make other stealth arrangements. They are sensitive to the underground markets that are teeming with security researchers and law enforcement (LE), so they tend to pay due diligence to anonymity and consistently tighten up their OPSEC (operational security) practices.

Victims

To the hackers, the data is merely numbers and codes. But there are real people victimized by data breaches. For example:

“Taylor” is a popular keynote speaker in his industry and suffers bouts of severe depression and is in therapy for self-harming behaviors; his wife “Jamie” works for a Fortune 500 company and has been in treatment for bulimia for 18 months. Both husband and wife believed that their medical conditions were private and only shared between their treatment team, electronic medical records (EMR), and themselves. Not anymore. If data is the new currency, the bad guys appear to be winning.

The Winner Takes All

Though stolen credit card data still flourishes in the underground marketplace, it has a short shelf life and the vendors are aware that stolen cards will immediately be canceled once the bank detects fraud. On the contrary, stolen medical credentials are a whole different ballgame. Medical identity theft can go undetected for weeks, months, and even years. Many victims are unaware that their medical records have been breached until they receive a bill from the hospital or are harassed by a debt collector. The trickery rarely stops at this junction because the victim may have a combined medical history with the thief now.

The value behind stolen healthcare data

  • There are many opportunities for fraud when data is combined with a social security number; birthdate; health history, etc.
  • The data can be sold to uninsured buyers who can then file false claims using the policy ID number with fake provider number.
  • The thieves can file fraudulent insurance claims.
  • The data can be used as a precursor for identity theft.
  • Thieves can use the data to open up new credit accounts.
  • The victims can be targeted for phishing email and ransomware.
  • The thieves can obtain prescription medication to resell on the blackmarket.
  • It can take years for this type of breach to be identified.
  • Underground demand for personal health data is far more valuable than credit card data.
  • Thieves could also use extortion as a tool to threaten policyholders with medical disclosure.
  • Victims could be stalked.

Treacherous Terrain

The threat cyberthreat landscape is changing at an ominous pace. As the healthcare industry continues to transition to EMR and data breaches grow more difficult to detect, healthcare providers must make security requisite. Caring for patients means securing their PHI now.

In my next article I will share what vulnerabilities you should be looking for in your healthcare environment and tips to increase information security.

 

Footnotes

1 ID Experts.”Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data.” Ponemon Institute© Research Report 2015. Web. 11, August 2015. https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data

2 U.S. Health & Human Services.”Entities Covered by the HIPAA Privacy Rule 2003. Web. 13, August 2015.  http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/coveredentities.pdf

 


This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site Power More.Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.


Facebooktwitterredditpinterestlinkedinmailby feather

Filed Under: TekSec Bytes, Updates

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Visit Us On TwitterVisit Us On FacebookVisit Us On PinterestVisit Us On YoutubeVisit Us On LinkedinCheck Our Feed

Recent Posts

  • 13 Reasons why WordPress hacks are successful
  • Hacked medical devices gaining traction
  • Online Travel Agency Deals: Due Diligence and Dive

Top Posts

  • Safari browser redirects on iPhone, iPad –… (10,232)
  • 6 motivations of cybercriminals–Is it all about the money? (3,983)
  • How to derail a Business Gmail Spam bomb (3,846)

RSS SecurityWeek

  • FBI Agents Secretly Deleted Web Shells From Hacked Microsoft Exchange Servers
  • At Least 100 Million Devices Affected by "NAME:WRECK" DNS Flaws in TCP/IP Stacks

RSS Threatpost

  • How the NAME:WRECK Bugs Impact Consumers, Businesses
  • COVID-Related Threats, PowerShell Attacks Lead Malware Surge

Recent Comments

  • teksquisite on How to derail a Business Gmail Spam bomb
  • Stephanie Cleveland on About
  • bob mbeng64 on How to derail a Business Gmail Spam bomb
  • teksquisite on Remove Query Strings From Static Resources in WordPress
  • Harish on Remove Query Strings From Static Resources in WordPress

Categories

Copyright © 2021 · Teksquisite Security LLC

  • Home
  • About
  • Services
  • Privacy Policy
  • DISCLAIMER