When Anndorie Cromar received a call from Child Protective Services that they were coming to take her children away, she was flabbergasted. She was unaware that her medical identity was stolen and was used by a pregnant woman to cover pregnancy costs at a nearby Utah hospital. The agency took custody of the pregnant woman’s infant that was born with drugs in her system and the officials assumed Cromar was a drug addict whose other children were in danger. Cromar had to take a DNA test to get her name off of the infant’s birth certificate, and it took years to correct her medical records.
Cromar’s case is used as an example in a recent report by the Institute for Critical Infrastructure Technology (ICIT) to show how hackers are increasingly targeting the healthcare sector organizations for electronic health records (EHRs) that can be sold and resold on the deep Web.
The cybersecurity think tank is hosting a Senate briefing on the report in Washington D.C. tomorrow to expose the impact stolen EHRs have on victims, and why organizations in the healthcare sector should beef up their layered security.
“This briefing initially will be a trickle-down conversation; we are going to start with the actual stakeholders in the federal critical infrastructure space and then they are going to take that back and start working this information into the conversations that they are having within their localized microcosm,” said James Scott, an ICIT senior fellow who co-authored the report with ICIT researcher Drew Spaniel.
Cyber criminals go after EHRs because of their value and also because organizations in the healthcare sector fail to properly secure their systems, according to the report titled Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims. Stolen EHRs can be used for a wide range of fraud, from paying for medical expenses to creating new medical identities.
The report highlights a survey conducted by the Healthcare Information and Management Systems Society, which surveyed 119 acute care facilities and 31 non-acute care providers. The survey found 32% of acute care facilities and 52% of non-acute providers do not encrypt data in transit, and 39% of acute-care facilities and 52% of non-acute facilities do not encrypt data at rest. Without encryption, data is more vulnerable to attacks. To make matters worse, not all acute-care facilities and non-acute providers had firewalls in place, the survey found.
“Vulnerable legacy systems and devices that lack the ability to update and patch are Frankensteined into networks possessing newer technologies that can be updated and patched,” according to the ICIT report.
This makes healthcare organizations’ forage into IoT vulnerable as effective security layers cannot be applied properly, making them easily targetable by hackers. The lack of both cyber-hygiene and endpoint security by healthcare providers allows even the most unsophisticated attackers to easily steal patient records or deliver malware.
The hackers then often sell the stolen health information on the deep Web, and the report also identifies popular market places and forums for stolen EHRs.
Hackers sell health insurance credentials on the deep Web for about $20 a piece and that value increases if a dental or vision plan is attached to the health plan, according to the report. They also use the deep Web to sell information packages known as fullz, “an electronic dossier of a victim that is compiled to specifically facilitate identity theft and fraud.” These “fullz” contain health insurance credentials along with social security numbers, bank accounts, email passwords, and other personally identifiable information.
In this hyper evolving threat landscape, experts who haven’t studied adversary agendas, methods and technical profiles will have a hard time keeping up, Scott said.
“You can’t talk about cybersecurity without understanding the attack vectors, you can’t talk about attribution without forensically defining the intricacies of the breach, you can’t talk about the woes of ransomware without defending the necessity of encryption as a powerful layer of cybersecurity,” Scott said. “You’re only as cyber secure as your weakest vulnerability.”