When it comes to health, prevention is the best cure. Now it’s becoming apparent it is time to extend this philosophy to medical data as well.
While personally identifiable information — full names, social security numbers, home addresses, dates of birth, credit card numbers — can be exploited by criminals to commit identity fraud, the theft of medical information can have equally serious impact on victims.
Thanks to a new report published by Carbon Black, we now know exactly how hackers use stolen healthcare data to their benefit.
“Valuable data from the healthcare industry exceeds protected health information (PHI) and the hottest offerings today are provider data, forgeries, and hacked health insurance company login information,” the cybersecurity firm noted.
Carbon Black, in particular, highlights four different kinds of cyber heists:
- Hacking provider data to steal administrative paperwork — like medical licenses — to forge a doctor’s identity. This data sells on the dark web for around $500.
- Hacking an insurance provider’s login information and then selling it to a buyer, who can then reset the credentials to the database and take a victim’s identity to claim insurance. This can effectively cripple a hospital’s access to patient records and other critical systems.
- Forging health insurance cards, prescriptions, and drug labels with an intention to carry drugs through the airport.
- Using hacked personal health information against individuals who have health issues for extortion and other crimes.
The report also included a survey of a number of chief information security officers (CISOs) from the industry. According to the survey results, 83 percent of surveyed healthcare organizations said they’ve seen an increase in cyberattacks in the last 12 months. Nearly half (45 percent) of the companies said they’ve encountered attacks focused on information destruction over the past year.
Importantly, even as companies have stepped up their practices in response, the vast majority of CISOs gave their security posture — an indicator of a company’s overall cybersecurity strength — a grade of C (33 percent). This once again underscores why securing medical documents will have to be the top priority for healthcare providers.
What’s more, the proliferation of medical trackers and connected devices have enabled companies to amass medical information on a scale that was previously unimaginable, making them a lucrative target.
“With increased adoption of medical and IoT devices, the surface area for healthcare attacks is becoming even larger. The problem has been further compounded by limited cybersecurity staffing and stagnant cybersecurity budgets in the industry,” added the report.
Of course, there’s not much you, as an individual, can do when your doctor or your healthcare provider becomes a victim of such a breach. But given the permanence of medical information and frequency of data thefts, the need for proactive monitoring and effective measures to combat security threats cannot be stressed enough.
The fact that there exists a market for such data should incentivize healthcare institutions to invest more in data backups and auditing their security practices regularly so that critical systems aren’t open to potential abuse by malicious actors.
Hopefully companies handling medical data are taking notice, and will update their policies before it’s too late.