While the deep web isn't all bad, there are plenty of shady areas where it earns a bad reputation.
Researchers at the Institute for Critical Infrastructure Technology discovered that firsthand. While compiling research for a new study, they stumbled upon marketplaces where users can buy prescription drugs, access government and pharmacy databases, and buy medical information from stolen electronic health records.
The study – Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims – gets at the heart of why medical data breaches run so rampant: The stolen data is more versatile and valuable than other breached information, like credit card numbers. To complicate the issue further, health care organizations are not putting enough money and resources into protecting all that sensitive data.
Want to buy health insurance credentials? It might cost $20. If someone wanted to buy "fullz," which include health insurance credentials, bank account numbers, Social Security numbers and other personally identifiable information, it could run anywhere from $5 to $500. If an individual wanted everything on a person, they could buy "kitz," ranging from $1,200 to $1,300.
During the past two years, James Scott and the ICIT have received inquiries from law enforcement, hospitals, small physician offices and health-sector organizations looking for guidance on how to handle the aftermath of a data breach. After hearing these concerns, Scott, a Senior Fellow at the ICIT, and his team decided to dive in.
“When you go on some of these forums, there's this techno-voyeuristic element at play. You go in and you can tell that there was chatter and threads were moving. When a new handle is introduced, things almost stop and it’s really eerie,” Scott said in a phone interview with Privacy Tech. “They are wondering why you are in there. Are you a vendor? Do you have stuff to sell? Paranoia is very high.”
He and the ICIT concluded that health care information is ten times more valuable than financial data because it has more uses, and health care fraud is more difficult to track.
“Hackers realize that it is simple to cancel a credit card, [but] difficult to change a Social Security number, and nearly impossible to change all of the information in an EHR," the report said. “Once a hacker owns an EHR, they effectively own the victim.”
A huge problem stems from the health care industry's lax efforts to boost its cybersecurity. “The health care sector trivialized threats and ignored cybersecurity for too long. Now it is plagued by ransomware attacks, data leaks and patient database breaches, unauthorized medical network access, compromised medical devices, and copious amounts of insider threat and social engineering based fraud,” the report notes.
While hospitals may suffer a fine, loss of reputation, lawsuits, and support of stakeholders, the organizations will be able to weather the storm. Patients, on the other hand, have a far more difficult time recovering from a data breach, and health care organizations do not fully comprehend the toll the breaches take on their victims.
“They understand, but don’t want to go beyond that into the emotional toll that it takes on the human element with a single breach. We have done a lot in the health care sector, and when we bring this stuff to their attention, they all sympathize. And then you say ‘well what are you doing about it?’” said Scott. “I don’t think they look at the long term issues for children, for the elderly, for the blue collar type who aren’t very tech savvy, and have no interest in being tech savvy.”
There are currently no organizations for victims to call if their information is compromised, and attempts to stop the malicious use, dispute charges, and correct information can take up to five years.
So with all of these problems, why is the health care industry having trouble fixing the issue?
Many health organizations are poorly managed in terms of privacy, said Scott. Boards of directors are often donors, and very few have any type of privacy experience. “There’s no qualified security professionals on the advisory board, and I think that’s a big problem,” Scott said. “They flat out don’t listen when security professionals tell them you cannot Frankenstein old technology that was never meant to be attached to a network or new devices within these IoT microcosms.”
Protenus CEO Robert Lord also discussed with Privacy Tech the difficulties privacy professionals face within an organization.
“What we see is that privacy officers are systematically under-resourced and are not given the voice they need. Sometimes, they feel like they’ve got way too much on their plate,” said Lord in a separate phone interview with Privacy Tech. “It’s critical to empower them through the budget and empowering the voice that they need to actually get those privacy programs initiated; to get the technology they critically need; to understand privacy practices proactively.”
Lord, who contributed to the report, and whose company creates a patient monitoring platform for hospitals, said many companies simply are not aware of the technologies that are available to help them enhance their cybersecurity efforts.
He believes privacy professionals have the right experience needed to bring cybersecurity protocols to life. “We assuredly need the privacy and security pros on the ground [to] understand the ... threat landscape so they can make the strategic and tactical decisions that are going to drive their security and privacy programs going forward,” Lord said.
Lord also said the human and technological element must be combined for maximum results.
“Once we showed health care organizations that there are next generation ways to protect patient data, that it’s not a futile pursuit, we get them really excited, because finally they can fulfill that promise that they want to be able to fulfill to their patients,” said Lord. “I think the health care industries are aware of it. We’ve seen increases in budgets. We’ve seen increases in the employments of chief security officers, chief privacy officers, and a greater emphasis on them.”
With the health care industry continuing to be a soft target for hackers, it remains to be seen whether the cybersecurity issue gets better before it gets worse. Citing the financial industry’s recent efforts to boost cybersecurity through chip-and-pin technology, Scott said hackers will move away from difficult industries to breach.
“If the health sector does put up a solid cybersecurity perimeter around an organization, with multiple layers, and stays up-to-speed with the threats so they know how to defend, using AI, and doing everything they need to do, you’ll see the adversary landscape migrate to a different infrastructure,” Scott said.
Though concerned about the current threat landscape, Lord is optimistic. “It is going to get worse before gets better, but we are at a critical point we where can change this story, and it doesn’t need to get much worse,” said Lord.
If you want to comment on this post, you need to login.