Cyber-attacks on healthcare organisations are on the rise. The question is – why?
It’s easy to understand why criminals go after financial info. Stolen logins provide access to bank accounts. Bank card numbers and security codes can be used to clone cards and make fraudulent transactions. Full names, dates of birth, national Insurance numbers, and home addresses, can be used for identity theft.
When it comes to medical information, the motivations for thieving aren’t so clear.
How do you profit from knowing another person’s pharmacy prescriptions, past and present health conditions, hospital records, online medical account credentials, or even insurance details?
A new report by security analytics company Carbon Black provides some answers.
The company examined trades and purchases of stolen data on the Dark Web to better understand how hackers use stolen, leaked, and fake medical data for their own ends.
Spoofing Medical Credentials
What criminals are really looking for is information that can be used to manufacture a fake medical background.
Fraudsters use information like insurance documents, medical diplomas, doctor licenses, and DEA licenses to steal doctors’ identities. They then submit bogus claims to the NHS or a private medical provider/private insurer for high-end surgeries.
By breaching the corporate network of a healthcare organization cybercriminals hope to find administrative paperwork that could be used as backup to provide proof of a forged doctor’s identity.
The data is sold to an intermediary who specializes in medical identity theft.
The going price for physician identity information is roughly $500 USD per listing.
A hacker would need to make multiple sales in order to see a significant return.
Carbon Black also found an array of other patient information types readily available. For as little as $10 USD, there are fake prescriptions, medicine labels, sales receipts, and stolen healthcare cards that could be used to falsify backup for a medial claim, or obtain prescription drugs illegally.
Researchers also saw listings for stolen (private) health insurance information which could be used to make fake claims at the victim’s expense.
The idea of any unqualified person posing as a physician is pretty frightening.
What if their motivations go beyond greed and extend to malice and physical harm? What if a fantasist concocts a medical degree and starts seeing patients?
Sixty six percent of heather CISOs say cyberattacks have become more sophisticated over the past year.
Privacy is another serious concern. Information about medial conditions could be used for blackmail, or by nation state actors as leverage to extract other kinds of sensitive information from the targeted individual.
Then there’s the issue of politically and legally sensitive advances in healthcare such as the use of medical marijuana.
A data breach at Canada’s Natural Health Services exposed the personal information of roughly 34,000 medical marijuana users – potentially putting them at legal risk were they to visit, or do business in, jurisdictions where such treatments are illegal.
The report also surveyed CISOs at healthcare organizations. Sixty six percent of them said cyberattacks have become more sophisticated over the past year, and aside from data theft, 45 percent said they had seen attacks where the objective destruction of data.
According to data collected by the UK Information Commissioner’s Office (ICO), 43 per cent of data breaches target healthcare organisations. The Ponemon Institute says breaches in healthcare are twice as damaging as breaches in other industries — ca. £325 per stolen record.
A dose of awareness
In healthcare and cybersecurity, prevention is often the best cure.
Here is our five-point prescription:
1. Patch and update: When malware infects a computer, it utilises flaws or exploits discovered in software. It is vital to ensure that computers and other devices are routinely updated, and any software patches issued are applied promptly.
2. Provide security awareness training: The attacks on healthcare have reached crisis point, but one to hit back is by empowering people with knowledge. Organisations as wide-ranging as the NHS and IBM are making security awareness training a high priority. Backed by the NHS Care Computer Emergency Response Team, CareCERT, dedicated training on security issues helps staff understand the range of cyberthreats they may face. That includes phishing simulation exercises, helping employees spot fraudulent emails and avoid accidentally exposing credentials and other data.
3. Have a robust security posture: Cybersecurity is a double-edged sword with both a human- and technical edge. Used together they can deliver a holistic defence posture that tackles modern cybercrime and prevents accidental exposure from insider threats. Along with security awareness training, data should be encrypted both at rest (e.g. in databases) and in transit (e.g. Internet communications are done using SSL/TLS). Strong, two-factor authentication (2FA) or biometric measures should be implemented to better control access to patient data.
4. Build in BYOD to security policies: As mobile device usage in healthcare accelerates, opportunities open up for a host of mobile-specific cyber-exploits. Mobile security issues include insecure Wi-Fi connections, malware-ridden apps, mobile ransomware, and careless sharing of data.
5. Test for vulnerabilities, and then test again: Penetration testing of IT systems is a way to determine if security gaps exist in your network. If they do, you are forewarned and can close them to attack. But it isn’t enough to just test and run. As you add new Cloud apps, mobile devices, or IoT devices to the system, you need to retest. All points within the expanded network are potential ways in. Regular pen testing will give you visibility of any doors that have been left open.
Want to know more? Adding security awareness training to the mix doesn’t have to be a chore. Why not sign up for a free demo and find out how we’re already helping healthcare organisations boost their defences and dramatically improve employee security awareness.