What Happens to Breached Health Data?
Cybersecurity has become one of the most daunting problems facing the healthcare industry, and the number of attacks is on the rise, as previously reported by PNN.
With all the information available on the deep web market, a new report from the Institute for Critical Infrastructure Technology (ICIT) titled “Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims” provides insight into what happens with all that stolen data and just how much a single medical record is worth.
Some speculate that the reason attacks are on the rise is because the value of medical records in the market is on the decline. One could sell for $75 to $100 last year, but the same kind of record would sell for only $20 to $50 today.
“The price is down,” said James Scott, senior fellow at ICIT, in an interview with Health IT News, “which means the volume of availability is exceeding demand.”
According to the study, after medical records are stolen, the information is held onto for days, weeks, months or even years, to eventually resurface and be sold. The more complete a record, the more valuable on the deep web market. Hackers can sell small bits of information at a time or create a full-ID known as a “fullz,” or identity kit. These records contain everything from the EHR as well as utility bills or insurance information, which will increase their market value.
“So, it will look like basic short-form ID theft material, but eventually the electronic health record will surface as a ‘fullz,’ the slang term on the deep web for a complete long-form document that contains all of the intricacies of a person’s health history, preferred pharmacy, literally everything,” the report states. “What happens is the people who purchase fullz then go to another vendor on the deep web for what’s called ‘dox,’ the slang term for documentation, where they then proceed to have passports, driver’s’ licenses, Social Security cards, all these things that will help the counterfeit imitation of the victim. So you have electronic health record that will typically go for $20 apiece, and you’ll spend a couple hundred dollars on ‘doxs’ to support that identity, and once it’s an identity kit, you can sell it for $1,500 to $2,000.”
The data of children and the elderly is the most desirable. According to the report, “Criminals aggressively pursue children’s health records because the data has a long lifetime and because the compromise may go unnoticed for years.”
This is supported in a separate study by Carnegie Mellon University in which researchers found that 10% of 40,000 children have had their Social Security number used by someone else at a rate 51 times higher than the rate for adults.
Scott recently was part of a panel that briefed the U.S. Senate on cyber threats and concluded that organizations must begin the effort to organize resources to quickly detect and resolve breaches. Security leaders need to take stock of where their program is and formulate next steps based on a realistic assessment of the largest unmanaged threats they currently face. If a hospital has just hired a chief information security officer, its next best step will be different from one that has a large privacy and compliance team and fully formed breach response plans.