Why is the healthcare vertical such an attractive target?
One of the main drivers for cybercriminal activity is financial gain. This applies to health data as well, especially since administrative data – which is part of health data – includes financial data. It is possible that this could be the sole motivation for targeting health data – the financial segment of a full medical record. This can easily be monetized as tradable goods in market listings in the “underground“. Many reports refer to underground markets, which means that often stolen data is sold on the darknet or deep web where anonymity is higher than on the normal web.
There is a variety of sources that claim that health data is up to 10 times more valuable for selling than other stolen data such as credit card information. The actual value of one single health data record can be “hundreds and thousands of U.S. dollars according to Forbes; or up to $50 for a medical record in comparison to credit card information for $1,50 or social security number for $3 ; or a medical record is sold for up to $60 each piece (approx. bitcoin equivalent); or full medical records including date of birth, place of birth, credit card details, social security number, address, and emails are offered for up to $1,000 or “health information and medical records are estimated at $82,90 a piece for U.S. consumers, while a social security number is worth $55,70.
Payment details, physical location information, home address, marital status, as well as the name and gender information are pegged at $45,10, $38,40, $17,90, $6,10 and $2,90”, respectively according to Trend Micro.
While most of the sources differ in the actual value of a health data record sold on the darknet marketplaces, they all agree that medical records typically are worth more than financial data on the markets. The main reason being that health data cannot easily be blocked and changed as, for instance, credit card information. Secondly, banks have taken some precautions over the years, and are faster in their response towards theft, while the health sector is in the middle of digital transformation and will most likely need more time to set up detection and response capabilities.
Once they are capable of reacting fast(-er) towards breaches and stolen health data, the value of stolen health data might lower, at least for the part that can be “disabled” and not further leveraged by an attacker. For demographic data, clinical data and family history, that part cannot be changed and remains leaked for a lifetime. Which means a part of a health data record will always be attractive to an attacker, depending on the purpose of leveraging this part of a record, which cannot be changed but harvested by committing fraud and/or even physical harm.
Because health data is so rich in information about an individual that is included in one single record, an attacker can easily use this data to commit identity theft. With a victim’s family history, demographic data, insurance information, medications, a lot can be done to pretend to be someone else. But for what purpose? By far the most common motivation is a direct monetary gain for the perpetrator. A fraudster can either choose to just use PII data to apply for loans, credit cards, tax returns or even apply to open a new bank account or the stolen identity could be used to leverage the healthcare service. Which means patient information could be used to fraud insurances and receive payments of treatments and prescribed medications that the fraudster did not actually receive.
While the actual patient and thus victim of identity theft might experience issues claiming payment due to the fact that the payments might have already been issued to the wrong “patient”. Or on the other side, a patient receives notification of an invoice for a surgery the actual patient has not received. Using a patient’s prescriptions is another opportunity that can either serve for someone’s own drug consumption or it can be for the purpose of drug diversion, which means someone is then selling the prescribed controlled substance on the darknet marketplaces. The same can be applied for medical equipment acquired through a patient’s prescription.
Identity theft is such a broad field, many other illegal activities can be done with one’s identity, above only a few are mentioned.
Gaining access to someone’s health data can provide a good opportunity to gain access to their health conditions such as allergies, medication and other dependencies on modern medical interventions. Last July, a targeted attack took place aiming to gain access to the health data of Singapore’s prime minister. SingHealth, the largest healthcare group in Singapore, noted a massive data breach of 1,5 million patient records from patients who visited SingHealth clinics between May 2015 and July 2018. One particular health record of interest seemed to be the one of Singapore’s prime minister Lee Hsien Loong, which contained information about his medication. It was later concluded that the attack seemed well-planned, sophisticated and targeted, even potentially nation-state sponsored.
Another opportunity to cause physical harm towards a specific individual is to alter the victim’s medical record by adding false information or removing an entry stating that the patient is allergic to penicillin. This could have life-threatening consequences for the patient.
Additionally, depending on the nature and origin of the stolen medical data, it can be used for blackmail and extortion purposes. One example that has been present in the media is the activities from the hacker group known as “The Dark Overlord” (TDO). The threat actor has been active since 2016 and has targeted different healthcare areas including plastic surgery clinics attempting to blackmail its victim including photographs of before, during and after the plastic surgery to extort money, which the healthcare provider did not pay. Consequently, TDO put the files up for sale on a darknet forum afterwards, which means that even though the clinic has chosen not to pay, the patient data will be sold and can be individually leveraged by contacting the actual victims and trying to blackmail them instead.
“We’re going to pitch it all up for everyone to nab. The entire patient list with corresponding photos. The world has never seen a medical dump of a plastic surgeon to such degree.” (TDO, 2017)
Sensitive information such as a diagnosis of a patient, be it a history of plastic surgery or mental health challenges, medical blackmail becomes an incentive for an attacker that is motivated by financial gain or harm-inflicting intentions to ruin the victim’s reputation.
Besides breached health data, medical devices can inflict harm when taken over by an attacker, preventing healthcare providers from treating their patients. Attackers know that medical devices most often don’t contain any health data but they are an easy first target when trying to interrupt a service or treatment and thus inflict physical harm. Especially in comparison to accessing network devices that might be more secure than medical devices. This, however, is noteworthy when considering motivations and the end goal of an attack, but it is not the focus of this research and will therefore not be further explored.
Instead we would like to explore the question of why health data is so attractive for attackers; and what an attacker can do with stolen health data. In order to explore these questions, we have the following hypothesis:
Health data is more attractive to an attacker because it brings more value due to its multitude of information, e.g. financial data, PII, medical history.
Stolen health data is sold for a higher price per record on online markets in comparison to other stolen data such as financial data.
Targeted cyberattacks against various industries have become increasingly common in recent years. The healthcare sector is no exception. That’s why we research two hypothesises. Read all about our findings and recommendations in this whitepaper.