Medical Records Are A Gold Mine For Cybercrime

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://motherboard.vice.com/blog/medical-records-are-a-goldmine-for-cybercrime

These days, credit card digits and even Social Security numbers are small
potatoes for black market merchants and fraudsters. The real good stuff?
Medical records. They're full of your most sensitive personal details,
revealing a snapshot of your entire life history. Which is why cyberattacks
targeting health care providers are escalating.

A new report out today by security firms Norse and SANS found nearly 50,000
instances of malicious attacks on health care institutions, including 375
cases where the network was breached. Researchers collected the data by
setting up "honeypot" traps to detect malicious traffic and tracing it back
to the original source.

The numbers confirm what a handful of earlier studies also found: That
hackers increasingly have their eyes trained on the health care industry.
Last year, it suffered more cyberattacks than any other industry in the US,
including, for the first time, the business sector--by a long shot. "The
report is a snapshot of what's happening throughout the industry,"
researchers wrote. "No health care organization is immune. Reports of
breaches against health care organizations, large and small, continue to
rise."

Cybercriminals have good reason to target health care providers. Medical
records can fetch $50 to $500 on the black market, experts say, compared
with credit cards, which can go for as little as one buck, especially after
a massive breach like the recent Target hack. Think about it: The
confidential files contain your Social Security number, home address,
insurance records, birth records, family details, billing info,
medications, and medical history.

It simply gives hackers more bang for their buck, and more options for how
to exploit the valuable information: identity theft, insurance fraud, using
prescriptions to buy or sell drugs, even holding sensitive data ransom. Not
to mention, it can be dangerous to have cybercriminals messing with your
medications and insurance policy. There's a lot more at stake than if
someone swipes your shopping rewards card.

Security experts attribute the influx of attacks to a "perfect storm" of
vulnerabilities in the medical biz. One, the push to digitize medical
records is putting more and more patient files online. Two, the Internet of
Things trend has taken root in hospitals and doctors' offices, which stock
a growing number of "smart" medical devices.

And three, the health care industry is totally overwhelmed--we're in the
middle of a crisis, remember. Staffers haven't prioritized infrastructure
security, and researchers found security protocols were alarmingly inept in
most institutions. One stolen USB gadget, compromised web camera, or flimsy
password and an intruder can access thousands of patient records.

Internet-enabled devices act like gateways into the network. And the
proliferation of connected hardware--radiology imaging software, printers,
web cameras, health monitors--means a growing number of entry points waiting
to be exploited, researchers warn.

Once in, a hacker can install malicious software to collect all all sorts
of valuable information to use to wage an attack: type of network, IP
addresses for computers and devices, passwords for firewalls, building
blueprints, and encryption keys.

Data thieves will sometimes dump piles of documents on a file-sharing site
like 4shared.com, where it can sit exploitable for months before a breach
occurs, the report states. Meanwhile, the health care provider has no clue
they've got a bullseye on their back.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!