78.2 Data Theft in Health Care
The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data [6], which included 90 health care organizations in the US and 88 business associates of health care organizations, states that 2015 was the first year in which criminal attacks were the most frequent cause of data breaches in health care. Compared to 2010 results, criminal attacks had increased by 125% and constituted 45% of data breach causes, replacing lost or stolen devices (43%) as number one on the list. Experts suggest that the health care sector replaced the financial sector as top target for cyber attackers, not only because of the inherently valuable data but also because its information security defenses are inferior in comparison [7, 8].
Another study by the Ponemon Institute [9] showed that, averaged over a variety of industries, the cost per capita per data breach is highest in Germany (for 2012), with 199 USD compared to an average cost of 136 USD. At the same time, averaged for each industry individually, the cost of a data breach is highest in the health care sector, with 233 USD. Every breach of health care data is even more costly than a breach of financial data, which is second on the list with average costs of 215 USD per capita. Although data for the German health care market have not been reported separately, the aggregated data suggest that data breaches in the German health care sector might be the most costly among all important sectors in the industrialized countries. This, of course, pertains to the costs of recovery of a data breach, including “incident handling, victim notification, credit monitoring and projected lost opportunities” [10]; it cannot be concluded from these figures that German health care data will obtain the highest prices on the black market.
While Ponemon’s data was collected by querying health care providers and business associates, the SANS Institute, a privately funded organization that offers training and research in the field of information security, surveyed the Norse threat intelligence infrastructure, a network of sensors and so‐called honeypots2, to monitor malicious events and traffic on the Internet [10]. Thus, sources of suspicious traffic were identified and filtered for health care related organizations, meaning that these organizations were most likely infected by malware and hence partaking in attacks against honeypots and other online entities. In this sample, captured over the course of 12 months in 2012 and 2013, malicious traffic from 275 compromised US‐based health care entities was recorded; 72% of the traffic had its source in direct health care providers, e. g., hospitals, clinics and private offices. Among devices and software most often compromised were: VPN applications and devices (33% of malicious traffic)
Radiology imaging, videoconferencing and teleconsultation software (17%)
Firewalls (16%)
Internet‐facing databases with personal health data, including a large call center website (12%)
Routers (7%)
Thus, ironically, the very systems and devices employed to keep an organization’s network safe were the main infection sites for malware.
Regarding individual data breach incidents, the US health care industry was hit hard, especially in 2015: By using malware to gain access to an employee’s login information, intruders obtained “up to 80 million records that included Social Security numbers, birthdays, addresses, email and employment information and income data for customers and employees, including its own chief executive” [11] from the for‐profit health insurance company Anthem, Inc. Analysts pointed out the lack of encryption in the compromised database [11].
The non‐profit health insurance company Premera Blue Cross experienced a data breach exposing contact information, medical information, bank account numbers and social security numbers. It is estimated that data of around 11 million individuals were affected [7].
The non‐profit health insurance company Excellus Blue Cross Blue Shield lost “personal information for as many as 10 million individuals, including name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information, and claims information” [12] in another data breach.
Up to 4.5 million patient files were compromised in the UCLA Health System, a hospital and primary care network. The part of the network that was compromised “contained names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures” [13]. Again, a lack of encryption was criticized in the aftermath of the incident [13].
In Germany, patient data has been the target of insider and outsider attacks as well, albeit on a smaller scale: In 2013, an IT administrator copied data, including medical, from doctors’ offices and pharmacies. He was employed by a medical data center performing data processing for these entities [14].
Backup tapes with data of approximately 200,000 to 300,000 patients were (physically) stolen from Klinikum Mittelbaden in 2012 [15].
Intruders stole endoscopy equipment from a hospital in Bad Berleburg, including digital patient data stored on these devices [16, 17].
As the last two instances show, compromise of health care data is not restricted to network‐related events. During the consolidation of the German health care landscape, many small hospitals were decommissioned, and often the funds necessary to store patient records were lacking. Local media reported several breaches in the states of Northrhine‐Westphalia and Lower Saxony in which intruders gained access to poorly secured archives in the otherwise vacant premises of former hospitals [18]. While the legal situation regarding patient files of doctors’ offices seems to be resolving, no conclusive legislation exists regarding patient files in defunct hospitals [19]. However, patient data online can of course be compromised on a far larger scale – with as much as several million records exposed in a single breach [20] – and with much less risk of discovery by authorities.
A special kind of online attack on patient data is executed with the help of so‐called cryptotrojans. Several varieties of this kind of malware, also known as ransomware, have been circulating on the Internet for years but gained special notoriety with a wave of hospital computer system infections in 2016 in Germany, the USA, Canada and New Zealand [21–24]. Malware of this kind invades computer systems as email attachments and proceeds to encrypt all data it can reach on the system. The user is then prompted to pay a ransom (usually in the anonymous bitcoin currency) to buy the decryption key and regain access to the encrypted data [22]. However, while attackers have supposedly been “honest” in many cases, not all ransom payments have led to recovery of the data [24].
As a survey of international online media shows, countries such as France and Spain are worried about online piracy of health data as well [25–27]. In Spain, no major incidents have been reported so far [25], which observers attribute to the insurance system, which does not incentivize medical identity theft (which, however, did not protect Germany from health data breach incidents). Regarding the situation in France, a L’Obs (formerly Le Nouvel Observateur) report hypothesizes that it is merely due to a lack of transparency in the French (as opposed to US and German) health care system that no major data breaches have been made public [27]. As the article points out, France’s 1000 hospitals employ only around 50 cybersecurity experts in total.
In summary, there is no lack of opportunity for malicious intruders to gain access to patient data, and as the saying goes, “opportunity makes the thief”.
78.3 Black Market Value of Patient Data
Computer security analysts of the FBI’s Cyber Security Division estimated in 2014 that one individual’s health care record is worth 50 USD on the black market [12, 28]. Don Jackson of cybercrime protection company PhishLabs estimated that health care credentials are worth around 10 USD per record, based on his analysis of dark web transactions [8] – still 10 t
o 20 times more than, for instance, credit card data. Katherine Keefe of cyber liability insurer Beazley again estimates a black market price of 40 to 50 USD per health care record [11].
Recently, news of the largest known transaction of patient data on the black market surfaced in online media. A hacker who called himself “thedarkoverlord” offered three separate databases of patient data (including medical data) on the black market website TheRealDeal (which is accessible by anonymous Tor networking only). In total, these contained 655,000 records. On the day after, he followed up with another database, containing 9.3 million records. Approached by data security journalists, thedarkoverlord revealed that he had gained access to the first three databases through user names and passwords that were stored without any encryption on misconfigured networks. The fourth attack was made possible by a vulnerability in Windows’ Remote Desktop Protocol [29].
The attacker stated that he had first attempted to extort money from the victims, who, however, had been unwilling to pay to avoid publicity, leading thedarkoverlord to offer the results of his heist on a public market. For the first three databases, he set prices of 100,000 USD to 395,000 USD (based on bitcoin rates at the end of June), and the fourth and largest one was supposed to be sold at 500,000 USD (converted) [29, 31].
He did not divulge how much ransom he had asked from the exposed health care organizations, except for one from which he attempted to charge 160,000 USD. However, in each case, the ransom was below 1 million USD, as reported by the attacker himself [29].
Based on these offers, health care data may sometimes fall under a “bulk discount” on the black market, if an especially large volume of data is acquired by the attacker. Another factor may have contributed to the low figure of 0.05 USD per patient record in these last incidents: in an attempt to validate information that was voluntarily provided by the attacker for this purpose (see Fig. 78.1 for an anonymized example), an anonymous information security blogger ascertained that the data was indeed real. However, in some instances in this sample it was several years old [31].
Fig. 78.1Anonymized sample of health care data offered by thedarkoverlord on TheRealDeal marketplace, as reported by DeepDotWeb. (https://www.deepdotweb.com [30])
In documented cases of ransomware infections in hospitals and clinics with the “Locky” trojan, ransoms of around 300 USD or 200 € were demanded [32, 33]. However, in targeted attacks, sums of up to 3.6 million USD were reported [34].
In summary, estimated market prices for selling and buying health care data as well as response to extortion range between 0.05 USD and 50 USD per record.
Buyers most likely show interest in these records because they facilitate both medical and other identity thefts. Medical identity theft is especially worthwhile in health care systems without compulsory health insurance, the most well‐known example being the US health care system. It enables non‐insured persons to obtain health care and may also serve as a source for obtaining prescription drugs, which can then be sold on the black market as well [25]. As the FBI states, health care data can be used “to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. Theft of electronic health records (EHR) is also more difficult to detect, taking almost twice as long as normal identity theft” [28]. Offering stolen data to the compromised organizations themselves to extort a ransom, on the other hand, may be the natural first step for fencers of stolen data before going public on the black market [29].
Still, there are other modes of profit extraction. In 2008, the Los Angeles Times reported that employees of the UCLA Health System unauthorized accessed medical records of prominent individuals, such as musicians Britney Spears and Michael Jackson, actress Farrah Fawcett and Maria Shriver (John F. Kennedy’s niece, formerly married to Arnold Schwarzenegger) [35, 36]. However, no figures of actual payments were made public.
In theory, stolen health care data may also be of interest for private insurance companies, who commonly rely on information supplied by their clients to calculate premiums. Unfiltered health care data would at least supplement their data in an interesting way. As one anonymous commenter on the website Darkdotweb glibly remarked: “As a health insurance agent I would love to buy your medical records. My company would give me a large raise and a company car” [37]. This is, admittedly, pure supposition at the moment, as no cases of this kind have been reported so far. Other potential buyers of health care data include developers and marketers of personal health devices, wearables and the like, as well as R&D departments of health care related industries. However, these parties have in the past been able to obtain health care data in bulk for their purposes because a surprisingly great number individuals are willing to share their personal data in exchange for free services and social media opportunities [38].
78.4 Conclusion
Owing to the nature of the question regarding selling and buying prices of data on the black market is difficult to obtain in a reliable way. Moreover, most available data is specific to the US market – a characteristic that is not limited to the black market but applies to the overall problem of valuing personal data [1]. Since medical data for the purpose of medical identity theft is a less coveted resource in countries such as Germany with almost complete health insurance coverage of the population, US figures may be exaggerated in comparison to the German market. However, other modes of profit extraction are applicable in Germany and other countries as well as in the US: demands of ransom, including both ransomware and individual extortion of hospitals and other entities,
selling data for purposes of financial and other identity theft, since bank account and other personal data are often part of breached records,
selling data to other interested parties such as the media, and supposedly, other private enterprises.
Hence, patient data are valuable assets that, according to industry analysts, are not nearly sufficiently protected in the majority of health care organizations globally [5, 11, 12, 21, 25–27, 29, 31, 37]. More sophisticated countermeasures are therefore needed to prevent large‐scale data breaches, and data security and privacy belong among the top items on the list of priorities of health care officials.
References
1.
OECD, “Exploring the Economics of Personal Data,” in OECD Digital Economy Papers, 2013.
2.
D. Walker, “Research examines cost of stolen data, underground services’,” SC Magazine, 11 12 2014. [Online]. Available: http://www.scmagazine.com/news/prices-have-dropped-for-stolen-data-on-the-black-market/article/387945/. [Accessed 13 07 2016].
3.
T. Zeller, “Black Market in Stolen Credit Card Data Thrives on Internet,” The New York Times, 2005.
4.
H. Krügel-Brand, “Digitale Transformation: Zukunftsfragen,” Aerzteblatt, [Online]. Available: http://www.aerzteblatt.de/archiv/175605. [Accessed 13 07 2016].
5.
N. Yaraghi, Hackers, phishers, and disappearing thumb drives: Lessons learned from major health cara data breaches, 2016.
6.
Ponemon Institute, Fith Annual Benchmark Dtudy on Privacy & Security of Healthcare Data, 2015.
7.
D. Bowman, Why health insurers are an enticing hack target [Q&A], Fierce Healthcare, 2015.
8.
C. Humer und J. Finkle, Your medical record is worth more to hackers than your credit card, Reuters, 2014.
9.
P. Institute, 2013 Cost of Data Breach Study: Global Analysis, 2013.
10.
B. Filkins, Health Care Cyberthreat Report, SANS Institute, 2014.
11.
R. Abelson und M. Goldstein, Anthem Hacking Points to Security Vulnerability of Health Care Industry, The New York Times, 2015.
12.
F. Rashid, “Wh
y hackers want your health care data most of all,” InfoWorld, 14 09 2015. [Online]. Available: http://www.infoworld.com/article/2983634/security/why-hackers-want-your-health-care-data-breaches-most-of-all.html. [Accessed 08 07 2016].
13.
C. Terhune, UCLA Health System data breach affects 4.5 million patients, 2015.
14.
ÄrzteZeitung, “Illegale Ausspähaktion: Massenhaft Patientendaten gestohlen,” 29 11 2013. [Online]. Available: http://www.aerztezeitung.de/praxis_wirtschaft/recht/article/850930/illegale-ausspaehaktion-massenhaft-patientendaten-gestohlen.html. [Accessed 31 07 2016].
15.
Klinikum Mittelbaden, Datenschutz, Mittelbaden: Klinikum Mittelbaden, 2012.
16.
WDR – Westfalen-Lippe-Nachrichten, “Bei Diebstahl auch Patientendaten verschwunden,” 31 05 2016. [Online]. Available: http://www1.wdr.de/nachrichten/westfalen-lippe/patientendaten-verschwunden-diebstahl-medizinische-geraete-berleburg-100.html. [Accessed 31 07 2016].
17.
E. Demtröder, “Medizingeräte-Diebstahl: Helios spekuliert nicht über Motiv,” WAZ, [Online]. Available: http://www.derwesten.de/staedte/nachrichten-aus-bad-berleburg-bad-laasphe-und-erndtebrueck/medizingeraete-diebstahl-helios-spekuliert-nicht-ueber-motiv-aimp-id11842565.html. [Accessed 31 07 2016].
18.
D. Seher, “Diebe stehlen tausende Patientenakten aus Klinik-Kellern,” WAZ, 08 02 2015. [Online]. Available: http://www.derwesten.de/politik/diebe-stehlen-tausende-patientenakten-aus-klinik-kellern-id10932347.html. [Accessed 28 07 2016].
Digital Marketplaces Unleashed Page 119