Electronic medical records have become a valuable commodity for criminals on the dark web. The problem might get worse before it gets better.
Credit: Pixabay, geralt
Far larger than the searchable surface web, the “dark” web is becoming a more sophisticated marketplace for finding illegal goods like underage pornography, prostitutes, and illegal drugs. And its role in exchanging personal information, like credit card information and—healthcare records—is also growing.
Highly prized by cybercrooks, the data held by medical providers, from doctors and dentists to hospitals and insurance companies, might fetch several times the going rate of financial records because they include more information that can be used for fraud and malfeasance, including insurance details, medical background, and family information. In 2016 alone, there were 355 major breaches that affected at least 15 million healthcare records at hospitals, dental clinics, senior care facilities, and other organizations, according to the Identity Theft Resource Center.
“The cybercriminal ecosystem relies on the acquisition and trade of information, including financial and personal information,” says Michael Marriott, an analyst at the cybersecurity research firm Digital Shadows. Although financial information is the most popular data for sale, as it is quicker to monetize, victims can change or reset their passwords and credit card numbers, Marriott points out.
Protected health information (PHI), on the other hand, is prized because the exposed data is often “non-volatile, [meaning] you can’t simply reset this information, and so there is a far longer tail,” Marriott says. Indeed, the complete and often unchanging nature of healthcare records means they draw as much as $7 per record on the dark web, while credit card numbers or other basic financial data might earn a dollar or less.
This past summer, in July 2017, one dark web listing offered the sale of as many as 1 million medical records—a move that resulted in the firing of an employee at the global health insurance company Bupa. The company accused that individual of stealing data from more than 100,000 customers, according to DataBreaches.net. The trove included customer information, birth dates, nationalities, and other administrative data.
And that was far from the most egregious dark web healthcare data dump. Last year, another anonymous bad actor offered datasets from 3 unspecified US healthcare institutions for sale on another dark web marketplace.
Just 4% of the internet is visible to the general public, according to Dustin S. Sachs, associate director for Navigant Consulting, a company that examines the dark web and provides other related services. The “clear web” is where most people conduct all of their online business, like checking email, Facebook, and Twitter, and buying things from Amazon and other popular sites. But the clear web that most people know and use is merely the “tip” of the internet iceberg. The other 96% of the web is made up of the deep web, a subset of the internet that cannot be found by search engines like Google—this includes all web pages that are behind membership logins, company and organization web pages used internally, and data like medical records, financial files, and academic databases, as well as the more malevolent dark web, a black market brimming with data, drugs, and services.
“Despite the fact that the dark web has indeed become home to many online criminal denizens, who do indeed use this channel for their illicit and illegal dealings around the globe, this largely undiscovered portion of the internet does serve another larger role in connecting its users,” says Sachs, speaking on dark web commerce at the ISC(2) Congress in Austin, Texas, this past September.
The deep web holds 7 times as much data as the surface internet, according to Sachs. Ironically, the dark web itself was originally created in the early 1990s by the US Navy, to communicate with secret operatives in parts of the world where it was not safe or advisable to pass information through public channels. Even in recent years, despite its negative aspects and uses, the dark web has become a channel through which citizen reporters share news and access social media from countries that strictly control other forms of media, Sachs notes.
With this in mind, what can healthcare organizations do to better protect their data?
Education programs that promote the access and availability of affordable care treatments in the mainstream market could help deter people from going to the dark web. Providers should also be aware of potential Health Savings Account (HSA) fraud. HSA fraud has evolved substantially over the past year, becoming more difficult to detect, as HSA accounts typically have less subscriber and institutional oversight. Recent estimates suggest that there are more than 20 million existing HSA accounts that hold nearly $37 billion in assets, which represents a year-over-year increase of 22% for HSA assets and 20% for accounts.
Bryan Hurd, MBA, senior executive at Versive, an artificial intelligence-fueled cybersecurity technology vendor, says that utilizing innovation in the healthcare industry should include a strong set of community requirements for security from start to finish of a product or service. “Ultimately, there are a variety of strategies and tactics healthcare CIOs and CISOs can deploy to protect against dark web-fueled cyberattacks,” says Hurd. “CIOs, CISOs, and security managers and analysts should monitor and fix those vulnerabilities present in their networks that currently have one-day exploits on sale in the dark web.”