Many Providers believe that “I’m too small” hackers are not interested in my information. They are wrong! If hackers can get into one providers office, it gives them a stepping stone for the next hack since patient information is valuable regardless what it is. Names, address, family members, medical numbers, prescriptions all have value for the right buyer.
For hackers healthcare information is more valuable than financial information, the reason why is that financial data has a finite lifespan because it becomes worthless the second the customer detects the fraud and cancels the card or account. Most dark web hacker’s forums for such financial data have a high enough surplus of stolen credit payment cards that they have regular sales.
Information contained in health care records has a much longer shelf life and is rich enough for identity theft which is more profitable for hackers. Health Cards numbers can’t easily be cancelled, and detecting that they have been stolen or used fraudulently is more difficult. Also medical and prescription records are permanent. There’s also a large market for health insurance fraud and abuse, which may be more lucrative than simply selling the records outright in hacker’s forums.
More and more we are seeing hackers going for medical records, in the US we have had government workers medical records being scanned (attributed to China spy activities), Anthem (Feb 2015) had 78 million records accessed and recently Excellus Blue Cross (Aug 2015) had 10 million records compromised.
The FBI estimate that criminals can sell health care information for as much as $50 a record. When you consider the recent breaches in the last year alone, it represents a billion dollars industry.
Health care breaches aren’t typically discovered through the normal black market sales the way retail breaches are, because criminals monetize health care data in a different way than for financial data. Most hacker forums selling health care data tend to be more specialized and appeal to a more sinister crowd. Stolen health care data forums operate more like drug cartels, where health records are not sold outright, but rather used to buy and sell addictive drugs and fund the cartel.
Many experts also believe the health care breaches are not only the work of typical cybercrime gangs but of state-sponsored, well-funded groups. The reason being that many governments would be interested in getting their hands on this data because it can be useful for building dossiers that reflect a deeper understanding of the target population. Medical and insurance records provide insights about where people live, what medical treatments they had, who their family members are, and who they work for. In the rights hands this can prove to be invaluable information. For example if you could match the health information of patients with key information of government employees with high security clearance you would have a treasure chest able to be sold to the highest bidder.
The health care industry has been rudely awaken by these data breach. The facts speaks volumes on how badly the industry is prepared for such sophisticated attacks. Providers and Payors are waking up to realize that they have to do much better if any resemblance of privacy is to survive. We can no longer give lip service to security but must act now to secure our systems regardless on how small we think they may be.