Editorial: Why Do Criminals Target Medical Records
Criminals target medical records because the theft of medical records is harder to detect than other types of personal data – meaning medical records can be misused for longer than other types of personal data to commit identity theft, obtain medical services fraudulently, and other nefarious purposes.
Hackers are going to great lengths to gain access to healthcare network. Data compiled by HIPAA Journal from breach reports submitted to the HHS’ Office for Civil Rights (OCR) show the number of data breaches reported by HIPAA-regulated entities continues to increase every year. 2021 saw 714 data breaches of 500 or more records reported to the OCR – an 11% increase from the previous year. Almost three-quarters of those breaches were classified as hacking/IT incidents.
Healthcare organizations, especially healthcare providers, are attractive targets for hackers as they store huge amounts of valuable patient data. Large health systems store millions of patient records and even relatively small healthcare providers may store the records of hundreds of thousands of patients. The stored data is highly detailed, including demographic data, Social Security numbers, financial information, health insurance information, and medical and clinical data, and that information can be easily monetized.
How do Hackers Make Money from Stolen Medical Data?
Healthcare records are so valuable because they can be used to commit a multitude of crimes. Social Security numbers, dates of birth, and demographic data can be used to commit identity theft to obtain loans and credit cards in victims’ names. Healthcare data can be used to impersonate patients to obtain expensive medical services, Medicare and Medicaid benefits, healthcare devices, and prescription medications. Healthcare records also contain the necessary information to allow fraudulent tax returns to be filed to obtain rebates.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In contrast to credit card numbers and other financial information, healthcare data has an incredibly long lifespan and can often be misused for long periods undetected. Credit card companies monitor for fraud and rapidly block cards and accounts if suspicious activity is detected, but misuse of healthcare data is harder to identify and can be misused in many ways before any malicious activity is detected. During that time, criminals can run up huge debts – far more than is usually possible with stolen credit card information.
Stolen data can be used to develop convincing spear phishing, smishing, and vishing campaigns, where the attacker impersonates a hospital or health insurer. Medical records contain highly sensitive information about medical conditions, pregnancies, abortions, and sexual health tests, and that information can easily be used for extortion and blackmail.
Patient data stolen from healthcare organizations is often processed and packaged with other illegally obtained data to create full record sets (fullz) that contain extensive information on individuals, often in intimate detail. These full record sets are often sold on dark web sites to other criminals who use the data to obtain documentation such as Social Security cards, driver’s license numbers, and passports. The documentation allows an identity kit to be created, which can then be sold for considerable profit to identity thieves or other criminals to support an extensive range of criminal activities.
Healthcare Data Can be Used as Leverage
Many of the hacking incidents now being reported by healthcare providers involve the use of ransomware. Ransomware is used to encrypt files and prevent access, with the aim of causing massive disruption to business operations. Faced with an inability to operate, businesses are forced to pay the attackers for the keys to decrypt their data. Without access to critical systems, and especially if medical records are encrypted, patient safety is put at risk. Attacks on healthcare providers are more likely to see ransoms paid than attacks on other sectors that are less reliant on data, which is why many ransomware gangs target the healthcare industry.
These attacks prevent access to data, but recovery is possible from backups. In response, the Maze ransomware gang started exfiltrating data before encrypting files and using the stolen data as leverage to pressure victims into paying the ransom. Threats were issued to publish or sell the data if payment was not made.
Even if data can be recovered from backups, many healthcare organizations felt compelled to pay to prevent the misuse of patient data. This tactic has been so successful that many cybercriminal gangs are dispensing with encryption and are now just kidnapping data. It’s faster, attacks are less likely to be detected, and the effort required is much lower, allowing more healthcare organizations to be attacked. There may be no threat of data loss, but the reputational damage that results from the exposure of patient data can be substantial.
Healthcare Organizations are an Easy Target
Healthcare organizations store large amounts of high-value data which makes them an attractive target for hackers and healthcare organizations are often easy to attack. The IT environments of healthcare organizations are often complex and difficult to secure. Devices and software continue to be used that have reached end-of-life, as upgrading is costly and often problematic. Many healthcare providers use software solutions that have been developed to work on specific – and now obsolete – operating systems and cannot be transferred to supported operating systems.
Vast numbers of connected devices are used in hospitals. IBM’s research suggests an average of 10-15 devices are used per hospital bed, with the number of medical and IoT devices growing at a considerable rate. Keeping track of those devices and ensuring they are secured and kept up to date is a major challenge. Securing medical and IoT devices can also be problematic, as many devices have not been developed with security in mind.
Healthcare professionals need easy access to patient data. Members of the care team often work from different locations, so remote access is required, which introduces further risks. Healthcare environments are busy, and employees are often overstretched, which inevitably results in human vulnerabilities, which can be easily exploited. The healthcare industry is particularly susceptible to phishing attacks due to a combination of busy working environments, overstretched staff, and a lack of regular security awareness training. A 2021 study by MediaPro on 850 healthcare employees saw 72% of employees rated as a security risk, with only 28% demonstrating they had the skills to recognize and avoid phishing attacks.
Further, many healthcare organizations are still heavily reliant on traditional security solutions, such as network and endpoint technologies, which are not effective at securing cloud infrastructure and IoT devices.
How Can Healthcare Cybersecurity Be Improved?
Phishing, ransomware, and malware attacks on the healthcare industry are profitable, and that is unlikely to change, so healthcare organizations need to concentrate on improving their defenses and strengthening their cyber posture to make it harder for cyber actors to succeed.
The starting point should be a comprehensive risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI. Audits and investigations by OCR often identify failures with risk analyses, which are commonly not comprehensive in scope. Healthcare organizations need to ensure that they identify all systems, devices, and locations where ePHI is stored and conduct a comprehensive organization-wide risk analysis and manage and reduce the identified risks in a timely manner.
Cybersecurity best practices need to be followed, including conducting regular vulnerability scans, patching promptly, backing up data, implementing network segmentation, creating and maintaining an accurate inventory of all devices connected to the networks, and implementing robust access controls with multi-factor authentication.
Regular security awareness training for the workforce is a vital part of improving security posture. Security awareness training should have a strong emphasis on phishing and other attack methods that target employees and should be accompanied by phishing simulations.
Given the rapidly evolving threat landscape and the difficulty of securing the sprawling attack surface, healthcare organizations should also strongly consider implementing zero-trust architectures to protect systems and data when threat actors succeed in breaching their perimeter defenses.
Editor-in-Chief, HIPAA Journal
