The black market has become so flooded with stolen credit cards that selling them is now less lucrative. This has caused cybercriminals to look for other means of making cash, and many of them are turning to stealing healthcare records.
Healthcare records sell for $10/record on the black market, as opposed to the $1/record or less for credit cards.
More $$, Higher Guarantee
The benefits of stealing healthcare records are two-fold. Not only do criminals make more, but it is also easier to steal healthcare records than credit cards. Most credit card companies employ effective security and fraud detection programs.
Healthcare facilities may be easier targets, evidenced by the rise in healthcare data theft. In 2013, the healthcare and medical sector made up 43.8% of data breaches (an 8.9% increase from 2012).
The Perfect Crime
The higher return for healthcare theft may give cybercriminals more motivation to get creative when attempting to breach a healthcare organization. However, there may be other reasons that stealing healthcare records is easier than stealing credit cards.
“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit. Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”
– Dave Kennedy, CEO of TrustedSEC and expert on healthcare security
Lower Detection Rate
It is harder and takes longer to identify medical identity theft, giving criminals more time (sometimes years) to make money off of stolen credentials. This alone makes medical data more valuable than credit card numbers because cardholders are encouraged to monitor their bank statements and credit reports closely—quickly cancelling cards once fraud is detected. Consumers usually only discover that their medical credentials were stolen after their information is used to impersonate them to obtain health services. When the unpaid bills are sent to debt collectors, they track down the fraud victims and seek payment.
Security vs Medical Equipment
Funds may be an issue for many healthcare providers. Because of their focus on patient health, the continual need for better medical equipment, and the threat of litigation, it may be difficult to divert funds to cyber security.
The Shift to Digital
More and more healthcare providers are switching to electronic medical records to make storage and billing easier and more efficient. And while security measures are being put in place to help with the transfer of records, sometimes data storage practices are not as secure.
Outdated Patches and Updates
On average, consumers replace their PC or laptop after 4.5 years of use, opting for new and improved models. The same is not true of medical equipment. Medical devices are meant to and are often used for decades. Though the medical device may function properly for that amount of time, security patches and updates may not be available for that period. For example, some medical equipment still use Windows XP Embedded. Outdated patches and updates are a recipe for a data breach.
Cyber Security Best Practices
Many of the security issues healthcare facilities face can be fixed by following cyber security best practices. These recommendations may not fix all cyber security issues, but they are a great starting point.
- Passwords. Administrative staff and healthcare professionals should establish strong passwords for each device and account they use. This includes establishing strong passwords for WiFi networks.
- Updates. Keep on top of the latest updates for OSes, routers, switches, phones, and any device on the network.
- Anti-Virus and Firewall. Remember to update anti-virus software programs and firewalls.
- Train Employees. Lastly, train employees on how to avoid becoming victims to social engineering attacks. This includes training them on what is appropriate to post on social media (which is fodder for social engineers looking to attack a healthcare facility or business) and what is not appropriate, especially as it pertains to work.