If a cybercriminal gains access to your entire health record, that information becomes the target of every conceivable variation of a cyberattack. A health record contains some of the most sensitive personally identifiable information (PII) about a person. But perhaps the most intimate information in our record is the data that cannot be altered: our personal health.
Data breaches in the news commonly expose one category of data such as financial information or email addresses. Protected Health Information (PHI) includes all of our regular PII in addition to our preferred pharmacy, dates and places of doctor visits, and insurance information. This all-encompassing document is known in the world of the dark web as “fullz” and is sold for a bundle to vendors with malicious intent.
Access as a Service
The term “access as a service” in this case refers to a hacker selling access to your personal health information after obtaining the data. The ways in which hackers access servers and other storage systems is not unique. The common attack methods include:
- Malicious links in emails
- Corrupted SQL databases
- Bad software installation
These are common entry points that employees can create safeguards for, but the lack of proper security personnel creates a problem. Security Researcher, James Scott said that nowadays, health sectors rely on IT personnel to do the job of a trained Security Operations (SecOp) team. A study from Siemplify and the Cyentia Institute found that only 14% of healthcare organizations claim to have an in-house SecOps team to deal with cyberattacks.
There is a need for healthcare organizations to share access with third-party vendors, sometimes across devices. Third parties may be an entity such as a laboratory that needs health records to perform a drug test or a medical-equipment supplier who communicates with the organization leaving a trail of sensitive information. All of this data can be sold to vendors on the dark web who have nothing but toxic intentions.
How Your Data is Sold and Used
Sometimes the source of an attack is blatant and can be found, but more often a hacker will be able to hide due to the sheer number of vendors on the dark web. Immediately after a hack, the data will “go dark” for a period of time before resurfacing on the dark web. The attacker will take the full electronic health record (EHR) and will go to another vendor to receive the “dox,” a slang term for the documentation that accompanies the data found on the EHR. The dox includes passports, driver’s licenses, social security numbers, and other information that, when paired with EHR, can steal someone’s entire identity.
Medical records sell for anywhere between $250 and $1,000 per record according to an article from Forbes.com. Overall, PHI is worth three times more than PII because the data is hard-coded within us and can’t be changed. In some cases, full medical records aren’t sold whole as hackers will cut out PII and sell it off separately.
Hackers can benefit from this data in ways more than just financially. Stolen PHI can be used for:
- Identity Theft
- Insurance Fraud
- Illegal Immigration
- Impersonating a Physician
These methods allow a hacker to do more than just hold your data hostage. They will use it for their own personal gain, either to have an expensive medical procedure done or extort the victims who have serious health issues.
Unfortunately, protecting a person’s digital and physical health are wholly reliant upon a healthcare organization having high-level security protocols. Security Researcher James Scott suggests that healthcare organizations bring in a dedicated SecOps team to deal with threats that are over the average IT department’s head.
These teams act as ethical hackers, attacking the systems as aggressively as the attackers would. The SecOps members would also be responsible for tracking the network access points that employees interact with regularly. A practical addition to a certified team of security experts is a certified data storage solution.
The SecureDrive products are hardware encrypted storage devices that are FIPS 140-2 Level 3 Validated, meaning they have been certified secure by government testers. The devices keep out unauthorized parties with both PIN authentication and wireless authentication through a secure mobile app. An administrator of the drive can monitor employee access, set it to read-only mode, and even wipe the drive in the event it becomes lost or stolen.
The products are HIPAA compliant and are a simple addition to a healthcare organization’s existing operations.