Some things should never be sold, but everything has a price for the wrong people.
…in the last nine months one in ten health records of every man, woman and child in the United States has been compromised. (HIPAA Journal, “September 2019 Healthcare Data Breach Report”)
Cyberdefense is a quickly changing landscape akin to any physical battleground except for one thing. In real-world battles the attacker must also worry about getting shot.
In cyberwarfare, attackers are very rarely caught, so they can operate without giving much thought to their own defense. This results in a one-sided match, which causes attackers to continuously exploit weaknesses and when defenders are able to respond effectively, move onto the next unhardened target easily and immediately.
2019 has been healthcare’s turn. In just the first three quarters of the year, 3x the healthcare records have been compromised than in all of 2018. That is 37.7 million records so far, over 10% of the country’s total population. That’s right, in the last nine months, one in ten health records of every man, woman and child in the United States has been compromised.
Why Health records? Why Now?
Even though it is very possible for a cybercriminal in a managerial-level position to earn $2 million per year, that individual still enjoys significantly more job security than your average CEO.
Of all the potential targets for cybercriminals, healthcare organizations are not an obvious choice. HIPAA regulations enforce a certain amount of security, making them more hardened than many other options. Why attack a difficult target when there are easy pickings still available?
The prize. Healthcare records are sold on the Black Market for $250 per record on average, up to $1,000 (US Department of Health and Human Services, “HC3 Intelligence Briefing Update Dark Web PHI Marketplace”). That means a heist of some 1 million records can be worth up to $1 billion and probably $250 million to the perpetrator. That makes the 2005 Fortaleza bank robbery in Brazil look like peanuts even though it is the top bank heist of all time. Some $70 million USD value was stolen. Premium peanuts, but still peanuts compared to the many successful medical records heists in this year alone.
Also the security. Sure, it is a serious crime to even attempt hacking a healthcare organization. But the risk is incidental when compared to a traditional bank robbery. A hacker isn’t going to be shot with a gun. Nor is it even likely that they will be caught and tried for their crimes. And only a fraction of tried cybercrimes result in conviction. Most cases are too difficult to prove for prosecutors to have a chance in court.
These two factors together make healthcare cybercrime an extremely attractive line of work. Even though it is very possible for a cybercriminal in a managerial-level position to earn $2 million per year, that individual still enjoys more job security than your average CEO, who has an average shelf life of 5.0 years (Harvard Law School, “CEO Tenure Rates”). It’s no wonder so many smart people are loosening their morals to move into this ‘industry’.
What do cybercriminals do with your health records?
The first thing a hacker will do with health records is turn around and immediately sell them to the highest bidder/s on the Dark Web. The data is then used for any number of scams, frauds, and identity thefts. Healthcare records have a number of different types of information that make them more versatile in their potential uses.
- Data accuracy and relevance tend to be higher than in other record types
- They contain permanent information, such as medical diagnoses, SSN, billing, insurance and other Personally Identifiable Information (PII) capable of penetrating the most common failsafes in finance and healthcare
The accuracy and unchangeable nature of health records make them the key to multiple different crimes.
Financial Fraud
Although other types of data can be used to drive financial fraud, health records are ‘better’. Personally identifiable information is often used by loans, lines of credit, and credit/banking profiles as another line of defense against bad actors. A credit card number might enable a criminal to go on a shopping spree, but the financial system is becoming very good at detecting aberrations quickly and closing the account. A health record can be used to establish a unique credit or banking profile in the individual’s name and then max out the line of credit because all security checks will be sent to the perpetrator, not you.
Medical Identity Theft
A shopping spree is costly, but Medical Identity Theft can easily cause bankruptcy. Nefarious individuals use the information from medical records to fill prescriptions for drugs that they can then sell, to falsify medical insurance claims worth tens of thousands, or to schedule surgeries and medical procedures under your name. The stakes in Medical Identity Theft can be much higher than in Financial Fraud, and the healthcare system has not yet developed the resources to defend you yet.
What can you do to defend yourself from Medical Identity Theft?
It is only a matter of time before the healthcare system will respond with the defensive measures and failsafes necessary to limit the monetary value of medical records, but until then everyone needs to take extra precautionary measures to defend themselves, loved ones, and their entire network.
We suggest you navigate to the Federal Trade Commission’s Guide to Medical Identity Theft right now, and if you don’t have time to read the page, bookmark it and schedule some time to take recommended actions as soon as you can.
If you are a business or organization, then we recommend your entire team learn more. One compromised team member can be used as leverage to gain entry into the business network, so you want to ensure that your team members are taking precautionary measures, as well.
