Cybercriminals are spreading into the healthcare sector even though the price per stolen medical record remains lower than for comparable financial account crime.
From hospitals becoming victims of hacking attacks to Olympic champions getting their health records leaked by hackers, the health sector has become a major target for cybercrime.
The most lucrative cybercrime targeting healthcare industry data is aimed at stealing industrial secrets from pharmaceutical or biotech firms. There’s a “concerted effort” by cybercriminals to recruit health care industry insiders as accomplices in these thefts. Efforts to recruit insiders are far from subtle and can brazen online ads and offers sent through social media, according to a new study (PDF) by Intel Security.
Intel Security researchers found evidence that formulas for next-generation drugs, drug trial results, and other business confidential information are all of potential interest to hackers turned industrial spies. Confidential data is stored not only by pharmaceutical companies but with their partners and (sometimes) government regulators.
Cybercriminals are taking advantage of the cybercrime-as-a-service market to execute their attacks on healthcare organizations through, for example, the purchase and rental of exploits and exploit kits in order to attack targeted organizations.
Away from the top end of the scale there’s even a market for the health records of ordinary people. Stolen medical records are available for sale from $0.03 to $2.42 per record, McAfee Labs reports. Comparable stolen financial account records are available for around $14.00 to $25.00. And credit and debit card account data is available for $4.00 to $5.00 per account record.
Protected health information could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories. Easier-to-monetize credit card information commands a greater price on black markets, at least for the immediate future, as Intel Security explains:
Upon stealing a cache of medical records, it is likely cybercriminals must analyze the data and perhaps cross-reference it with data from other sources before lucrative fraud, theft, extortion, or blackmail opportunities can be identified. Financial data, therefore, still presents a faster, more attractive return-on-investment opportunity for cybercriminals.
“In one case, a relatively non-technically proficient cyber thief purchased tools to exploit a vulnerable organization, leveraged free technical support to orchestrate his attack, and then extracted more than 1,000 medical records that the service provider said could net him about $15,564, Intel Security reports.
Raj Samani, Intel Security’s CTO in EMEA and author of the McAfee Labs’ Health Warning report, said: “Given the growing threat to the industry, breach costs ought to be evaluated ... in terms of time, money, and trust – where lost trust can inflict as much damage upon individuals and organizations as lost funds.”
“When a well-developed community of cybercriminals targets a less-prepared industry such as health care, organizations within that industry tend to play catch-up,” Samani continued.
“Gaining the upper hand in cybersecurity requires a rejection of conventional paradigms in favor of radical new thinking. Where health care organizations have relied on old playbooks, they must be newly unpredictable. Where they have hoarded information, industry players must become more collaborative. Where they have undervalued cyber defense overall, they must prioritize it.” ®