The healthcare sector remains a fertile target for cyber criminals seeking to steal information and monetize it in underground marketplaces. However, attacks against the sector continue to evolve as the focus of these criminal efforts change. Recent events indicate that these attackers are looking for more than just standard personal identifiable information (PII) such as social security numbers, credit card numbers, or proof of insurance. One report reveals four attacks against U.S.-based healthcare entities successfully compromised substantial amounts of patient records such as MRI results, X-ray images, patient-specific biometrics, and doctors’ treatments notes, before placing them for sale on the Dark Web. Initial reporting suggests that at least some part of this operation involved the use of a zero-day attacks against the remote desktop protocol. According to one news report, one healthcare database was being offered in the underground for almost $500,000.
Targeting healthcare is nothing new and criminals have consistently demonstrated interest in stealing data associated with these organizations. Indeed, the Federal Bureau of Investigation has been raising awareness and warning the sector of criminal interest in their information assets since at least 2014. Regardless, the numbers of exploited victim data is staggering. In 2014, nearly half of reported identity thefts were of medical records, and between 2005 and 2014, 677,749,785 people’s healthcare records were stolen. In some instances, medical data has yielded higher illicit profits than standard PII, as it includes insurance policy information, billing information, and prescription data, in addition to standard patient information; however, prices have been known to vary. A June 2016 incident involving a hacker known as “The Dark Overlord” appears to have exploited a 2GB database that included the names, addresses, emails, phone numbers, date of births, and SSNs belonging to approximately 9,300,000 Americans.
While PII and financial information have always been sought after commodities, earlier in 2016 there was a noticeable focus on trying to extort hospitals around the world of funds after they had become compromised by ransomware. Though, this tactic may have had limited effect as many victimized hospitals did not end up paying the ransoms (at least as was reported in the open press). The frequency of attacks, coupled with intense media coverage, appears to have encouraged the Department of Health and Human Services to issue guidelines to all healthcare organizations that could require hospitals and doctor offices to notify HHS if they are victimized by a ransomware attack.
Hospitals and health insurance carriers are not alone in being the focus of these activities; pharmaceutical companies are also prime targets for cyber criminals. According to one survey, nearly two-thirds of pharmaceutical companies suffered serious data breaches while a quarter of them fell victim to hacking. Whereas hospitals and insurers are rich with patient data, pharmaceuticals are rich in intellectual property and research and development data. In February 2016, a survey conducted in India discovered that the types of IP that were sought by these actors included drug discovery and clinical development programs, production processes, and manufacturing records, among others.
Cyber criminals have become more opportunistic and thorough in their targeting of healthcare-related infrastructure. They are no longer content with just seeking to gain unauthorized access into large networks, but also seeking to compromise any Internet-connected medical devices and associated mobile technology. In one instance, cyber criminals were able to gain access to victims’ centralized electronic health records (EHR) care systems through an exploited host for EHR software.
While it remains speculative as to what can be done with stolen x-rays and MRI scans as they are not the typical score of these elements. The fact remains that information – any information – has a value as long as someone is willing to pay for it. What is for certain is that the sale of stolen PII and medical records has been profitable for cyber criminals, and that the healthcare industry as a whole is an information-rich resource that needs to do a more robust job securing and managing all data involving patients. As one corporate security executive for a healthcare system pointed out, an individual’s electronic medical record is used over the course of a lifetime, and therefore is essentially unique to an individual. Compromise and exploitation of that information can potentially reverberate well into the future. As more medical devices enter the age of the Internet of Things, we can expect the bad guys to try to exploit any possible weakness. In light of this recent theft, protecting data, and understanding how that data can be accessed and reached, should be at the forefront of the healthcare organization’s security agenda.
By Emilio Iasiello
You May Also Be Interested In…
- [DATA SHEET] LookingGlass Cyber Threat Center
- [THREAT INTELLIGENCE SERVICE] LookingGlass Special Investigations Unit
- [WEBINAR] Operationalizing Threat Intelligence: ESG Analyst Research, Insight, Use Cases
- [DATA SHEET] Information Protection Services