Stolen Medical Data Is Now A Hot Commodity

While credit cards are selling for a dollar or less on the black market, personal health credentials are commanding as much as $10 per patient. Here’s why.

Lysa Myers, Security Researcher, ESET

October 14, 2014

4 Min Read
(Image: By Flickr user <a href="https://www.flickr.com/photos/mc4army"target="_blank">MC4 Army</a> [<a href="http://creativecommons.org/licenses/by/2.0"target="_blank">CC-BY-2.0</a>], <a href="http://commons.wikimedia.org/wiki/File%3AWinn_Army_Community_Hospital_Pharmacy_Stays_Online_During_Power_Outage.jpg"target="_blank">via Wikimedia Commons</a>)

This last year has been brutal in terms of breaches involving the theft of credit and debit card data. Oh sure, it’s been tough for retailers, but how has it been for criminals? With such a glut of card data on the carder market, the prices are being gutted. How are thieves supposed to turn a profit in light of this oversupply?

Fear not, gentle reader! There is plenty of valuable data out there for an enterprising miscreant to sell to make the payment on his or her beloved BMW. And it looks like they’ll be coming after your medical data next.

You may be skeptical as to why a criminal would care about knowing when you got your cholesterol checked, or what allergy meds you’re taking. For better or worse, this is not the only information that is stored at your doctor’s office. Besides your name, address, and billing information, the files there also have your social security number, birth date, insurance policy number, and diagnosis codes. While this is useful for basic identity theft, it’s also incredibly lucrative for medical fraud. Criminals can use this data to buy drugs or medical equipment, or to file fraudulent insurance claims.

Credit cards can now go for a dollar or less on the black market, but stolen health credentials may sell for as high as $10 per patient. Since most credit card companies have robust fraud detection (and many people know to check their monthly statements for anomalies), thefts are often spotted relatively quickly. This is not yet so for medical data theft, which means criminals may be able to rack up purchases for months or even years before they are detected.

When criminals decide what kind of data to steal, they’re not moving towards health credentials simply because they’re worth a lot of money on the black market. Opportunity is another major factor because health records today are not exactly guarded like Fort Knox. This makes it relatively easy to break into healthcare facilities’ networks. In fact, for both cultural and practical reasons, hospitals and clinics can be some of the easiest organizations to breach.

A caring culture
From a cultural perspective, healthcare practitioners are most concerned with their patients’ physical well-being. While this is great for your health, it may give rise to an erroneous sense of security in practitioners’ false beliefs that criminals would not attack the infrastructure of people trying to help others. Doctors and nurses may also argue against measures meant to increase security if they divert budget from medical equipment and supplies, or if they feel they might slow them down in an emergency. These are valid concerns, but not mutually exclusive.

I say this because security is important to patients and their health too. Identity theft and medical fraud cause a lot of stress, at the very least. And stress, as we all know, is not good for anyone’s health and well-being.

There are other, practical reasons healthcare facilities may be more at risk. Because many medical devices are meant to last for decades rather than the few years between OS updates, there is quite a lot of medical equipment that still uses Windows XP Embedded. This means those machines may be much easier to breach, unless extra measures are taken to protect them. Once an attacker is inside a network, it may be quick work to reach databases holding patients’ data.

You may be thinking that HIPAA regulation should cover all this, and thus cover medical data. But compliance is not the same thing as security. Organizations may follow the letter of the law to avoid paying fines after a breach, regardless of whether they actually protect assets.

In fact, there has been an increase in medical data breaches. According to the Identity Theft Resource Center, in 2013, 43.8% of breaches were in the health and medical sector versus 34.9% in 2012. According to the Privacy Rights Clearinghouse, this number reached 45% of the total in 2013. While the business sector still represents the largest number of records lost (largely due to mega breaches such as the Target breach), it makes up a significantly smaller percentage of general organizations breached.

It’s always still a good idea to maintain good security on credit and debit cards, but it’s also a good time to become more security-aware of our medical data too. How secure are your medical records and what -- if any -- steps can InfoSec pros take as individuals to keep them out of the hands of criminals? Share your thoughts in the comments.

About the Author

Lysa Myers

Security Researcher, ESET

Richard Roth leads Dignity Health's innovation efforts, which seek to create and test novel services, programs, partnerships, and technologies – from within and outside of healthcare – that challenge the status quo and have the potential to reduce the cost of care, improve quality, and/or increase access to services. Working in concert with Dignity Health employees and physicians, he works to anticipate emerging trends and technologies with the goal of incubating, studying, and scaling efforts to improve care. He led Dignity Health's efforts in forming SharedClarity, a novel new startup focused on creating transparency into medical device performance in an effort to improve patient outcomes and lower the cost of care. Roth holds a Master's degree in healthcare administration from the University of Minnesota and a Bachelor's degree in public health from West Chester University.  

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights