How valuable is personal healthcare data?
Apparently it depends. Based on at least some price comparisons on the
Redspin Dan Berger , president, Redspin
And the Identity Theft Resource Center (ITRC), in a recent blog post, said the low prices are simply a matter of supply and demand . “There is such an abundance of stolen medical information available on the Dark Web that the value of these complete records has been slashed to less than half of what they used to be worth,” the ITRC said.
Indeed, its potential uses are perhaps more varied than data stolen from any other industry sector. James Scott, cofounder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT), noted that it can be, “exploited for prescriptions, sold and resold, used for fraud or identity theft, and can be combined with other stolen data to generate holistic victim dossiers. In some less common instances it may be used for blackmail.”
To that, Wirth adds that the data can be used, “to establish a travel profile for government employees, based on vaccinations received, the sale of newsworthy medical incidents about celebrities and the use of medical data in legal disputes.”
Then there is the reality that much medical information – employment information, Social Security numbers, medical history, family members, physical descriptors – can’t be changed like a credit card account number. It is persistent, which means it is likely to retain its value for years, if not decades.
And one more thing: It is relatively easy to get. Healthcare organizations do pretty well at keeping their “customers” safe under their care. Unfortunately, they are not so good at keeping those customers’ personal data safe.
That weakness, widely known in the cyber criminal world, is one of the reasons healthcare organizations are such an attractive, and common, target, as multiple organizations have reported.
IBM called 2015 “the year of the health care breach,” in its 2016 Cyber Security Intelligence Index.
The ITRC and IDT911 reported in April that while the medical sector ranked second to business in the percentage of breaches reported – 35.4 percent to 40 percent – it was far into first place for the number of records compromised – at more than 113 million, or 66.7% of the total.
David Finn, health IT officer at Symantec, said his firm’s Internet Security Threat Report for 2015 had similar findings – 39 percent of all breaches in 2015 were within health services. “Based on what we have seen on public notifications so far, we would, unfortunately, expect this trend to carry forward in 2016,” he said.
Symantec David Finn , health IT officer, Symantec
Still, the 15.4 million records compromised this year means a lot of lives seriously disrupted. Scott noted that this past June, “the script kiddie ‘thedarkoverlord’ offered 9.3 million healthcare records on TheRealDeal market on the Deep Web.”
Earlier that month, the same person had offered more than 1 million records from three different organizations – activities documented in an ICIT report in September titled, “Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims.”
Ted Harrington, executive partner at Independent Security Evaluators, added that the success of ransomware attacks against healthcare organizations means more criminals will be drawn to it. While ransomware is not necessarily aimed at stealing data, Harrington said attacks such as those against Medstar and Hollywood Presbyterian , “prove that it is a viable revenue channel for attackers.”
This is not likely to change soon. The reasons why healthcare data remains so accessible to cyber criminals are easily explained but difficult to address.
Independent Security Evaluators Ted Harrington , executive partner, Independent Security Evaluators
Berger noted that it is, “inherently difficult to safeguard. It is a real balancing act. Too many controls and you might prevent doctors from accessing information they need to treat a patient; too few controls and that same information could end up in the wrong hands.”