February set a new monthly record for the largest US healthcare breach to date in which the personal records of 80 million individuals were compromised. It also marked an apparent change in focus from attacks on delivery organizations to healthcare payers. A few weeks later, two additional health insurers reported that they too had been hacked, resulting in the possible compromise of a further 11.25 million personal records. In a period of less than 3 months, the US has seen over 91 million records and personal identities stolen from healthcare insurers alone.
The health insurers appear to have been the target of highly sophisticated cyber attacks thought to be perpetrated from China, which involved the use of advanced persistent threats (APTs) and spear phishing. This allowed them to gain administrative credentials that were used to exfiltrate stolen data via the use of common cloud data services.
Why the sudden focus on healthcare?
As a new Cisco Healthcare white paper shows, healthcare has been in the cross-hairs for several years. However because of the relative lack of sophistication of healthcare information security to detect attacks, most have gone unreported. The theft of someone’s bank balance doesn’t go unnoticed for very long. The theft of a large number of credit card numbers triggers banks to look for a common point of purchase (CPP) in order to identify the compromised merchant(s). The theft of someone’s personal health information (PHI) or personally identifiable information (PII) takes much longer to be noticed. Unless the FBI is involved there is no single body to correlate all the identity thefts and medical insurance frauds cases etc., in order to identify the source.The second factor has more to do with the market valuation of stolen data. The wholesale value of stolen credit cards on the dark net has declined rapidly over the past nine months as markets became flooded with card numbers. At the same time cyber criminals have discovered lucrative new avenues for the disposal of stolen healthcare information by parsing the data into market categories such as personal identities, prescription information, or insurance information. Criminals are able to make much more money by selling these buckets of information to different groups, rather than selling the medical record as a whole.
Market values of stolen information vary greatly each day. The price of a medical record continues to increase, while the price of a credit card number continues to decrease. By some estimates, a stolen credit card has a value of less then one dollar, while a medical record can fetch in excess of $45.
What does this mean for the healthcare industry? This means that there is little question now that US healthcare organizations are being targeted by sophisticated and highly organized cyber-criminals. What’s more alarming is that based upon evidence gathered from recent attacks, these are not merely opportunistic thefts perpetrated by the usual collection of Eastern European gangs, but lengthy, costly, advanced persistent attacks that may have been orchestrated by state actors for reasons other than the monetization of stolen data. The investigations of all three attacks are not yet conclusive, but it is safe to assume no matter who the perpetrators are, that healthcare is now being targeted. This is especially true in the United States, where personal health records contain so much valuable information.
The targeting of healthcare is something that cybersecurity experts, including myself, have been warning against for several years. Healthcare is so poorly protected compared to other industries and ranks close to the bottom in information security spend. It is unsurprising that the information systems of payers, providers and bio-pharmaceutical organizations are considered low-hanging fruit by cyber-criminals.
What’s more alarming is the inability of the industry to respond to this now widely acknowledged threat. Healthcare simply does not have the people, processes or the technology to protect itself quickly against the onslaught. Furthermore it lacks the financial resources to hire the expertise needed to fix information security programs or to purchase the advanced security services and tools needed to protect its non-public data. According to ABI Research, healthcare cybersecurity spending will reach only $10 billion globally by 2020. That amounts to less than ten percent of global spending on critical infrastructure security today.
What is needed, is a better understanding of the threats, vulnerabilities, and necessary transformations of the way healthcare is run and funded. This should include a much greater emphasis on cybersecurity and the protection of the information that individuals entrust to their doctors and healthcare insurance providers.
Read more on the changing threats to healthcare and the challenges facing the industry in Cisco’s white paper: Combating Cybercrime in the Healthcare Industry.
A shorter version of this blog was first published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.