The Institute of Critical Infrastructure Technology (ICIT) has recently published a 54-page white paper entitled “Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims” [PDF] wherein they talked about what happens to electronic health records (EHRs) once they reach the Dark Web after a health infrastructure is breached. They also touched on why the health sector remains an attractive target to bad actors, why the sector is slow at evolving, and what are the likely impacts of stolen EHRs on victims.
According to the paper, the health sector is the most at risk among other critical infrastructures, making them highly vulnerable to online attacks and prone to breaches. This may come as no surprise to many. In the United States alone, the Department of Health and Services has recorded a total of 203 reported breaches to date. Here is a breakdown of the breach types experienced and the number of institutions that are affected by them:
- Hacking/IT Incident – 64
- Improper Disposal – 4
- Loss – 8
- Theft – 40
- Unauthorized Access/Disclosure – 87
Below are some takeaway points from the white paper:
- EHR is considered ten times more valuable than financial data. Hackers have realized that medical data are not easily canceled, changed, or terminated compared to financial records. They are also long-lasting, versatile, and can be re-used in a lot of ways that can bring in money for criminals.
- Criminals not only sell medical records but also sell packages that they call “fullz”. One “fullz” typically contains working, verified patient records and bank credentials, social security numbers, plus other personally identifiable information (PII). It is a complete dossier of a victim that a criminal can use to completely and fully take over their identity. A “fullz” sold together with counterfeit physical documents related to the stolen identity is called a “kitz”.
- Although hospitals and other medical institutions are the main targets of hackers, those affected in the long run are the patients whose data have been compromised. They receive little to no help from the government or from the affected medical organization as consumer protection is not well-defined when it comes to medical identity theft. Furthermore, not only can the stolen EHR data be used to create fraudulent accounts, these can also be sold and re-sold within the Dark Web years after the initial breach.
- The report asserted that another reason why healthcare records are being harvested is because they are easily accessible and shareable among medical professionals, especially in an event of an emergency. Health insurance companies are also targeted as they collate patient information from various healthcare provider networks.
- Encryption is almost not present on healthcare systems. According to a survey conducted by the Healthcare Information and Management Systems Society, a staggering number of acute and non-acute care providers do not encrypt their data while in transit and while at rest, making them susceptible to eavesdropping and packet sniffing. There are also quite a number of providers that don’t have system firewalls in place.
“In the same decade that banks have cracked down on identity theft, healthcare networks have made it easier by transitioning to interconnected electronic systems without implementing strong security,” wrote one author of the paper, “Once a hacker owns an EHR, they effectively own the victim.”
The ICIT, an American cybersecurity research institute, will be presenting the results of their study to the US Senate on September 22, Thursday.