The Price of Health Records: Electronic Healthcare Data In the Underground

Since 2012, data breaches involving healthcare-related data have been increasing substantially. This activity reflects the growing interest cybercriminals have toward the healthcare industry and, more importantly, the data to be found in those organizations. In fact, cybercriminals are finding particular use for stolen medical data in the creation of new products to sell in underground markets.

Electronic health records (EHR) contain personal data used during medical transaction. They can be accessed through special EHR management software. An EHR may contain the following data: date of birth, medical insurance ID, Social Security number and financial information. The value in this type of data lies in the nature of the information: unlike credit card information, PII available in an EHR cannot be easily replaced or changed in the event of an attack. Data such as a patient’s Social Security number, date of birth, and medical history are unique and thus have an increased shelf life in the underground market.

Besides selling the individual pieces that comprise an EHR, this data can also be collected to create a new product, e.g. insurance cards, driver’s licenses, even come up with entirely new identities. Cybercriminals can use prescription information to procure drugs, Medicare insurance IDs offer medical insurance, and Social Security numbers to create fraudulent tax returns.

EHR-Related Documents For Sale in the Underground

Another area that we analyzed in this research was internet-connected devices in healthcare organizations. By conducting a search through Shodan, a search engine capable of indexing internet-connected devices, we found medical equipment and networks that are openly exposed and possibly vulnerable to exploitation. Our search also showed unsecured devices, exposed hospitals, vulnerable computers, and many more.

There are many reasons that contribute to the increase of data breaches in the healthcare industry. Compared to other sectors, health care data is more lucrative and can be sold in various ways. Though it is understandable that hospitals and clinics allot more resources toward patient care and improving their services, security should not be lacking.  Not only should IT administrators be knowledgeable of troubleshooting techniques, they should also be aware in data protection and actionable steps in the event of a breach. EHR software vendors also need to focus on strengthening their data security, as well as perform regular monitoring of vulnerabilities that may affect devices that run their program.

In our new research paper Cybercrime and Other Threats Faced by the Healthcare Industry, we discuss several aspects of the healthcare threat surface. In the first part, we look at how the healthcare sector has evolved as a preferred target for cybercriminals. We try to understand how stolen medical records are monetized after a breach, what types of data are stolen, how much they are sold for on the underground markets, and how cybercriminals make use of them. The second part of this paper is dedicated to the analysis of Shodan scan data which reveals what healthcare-related devices and networks are connected to the internet and are visible to everyone, including cybercriminals.