Healthcare information security

Hackers Selling Healthcare Data in the Black Market

Ashiq JA
July 27, 2015 by
Ashiq JA

With the drastic increase in Cyber Crime, the healthcare industry is a potential target for data hungry hackers. Patient safety may not directly relate to data security, but an individual's personal health information includes everything from their address, private medical records to credit card information. Approximately 29.3 million patient health records have been compromised in a HIPAA data breach since 2009, according to healthcare IT security firm Redspin. In this article, we will be trying to figure out how hackers turn these hacked healthcare data to cash in the cyber underworld or black market.


Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

It took a health insurance company almost a year to notify some 1.1 million of its members that their personal data had been swiped by hackers. In another incident, more than 80 million health data was stolen from Anthem breach because of a network server hack. In 15 months from January 2014 into March 2015, the healthcare industry had 15 separate major breaches of protected health information that affected well over 100,000 individuals.

Now, why are hackers behind the health data of an individual or a patient? What can be gained from such data? According to a report by the Aberdeen Group, it costs about $500 per patient, depending on who is buying. Health care companies experienced a 72% increase in cyberattacks between 2013 and 2014.

Cost of Stolen data

More and more health data are showing up in the dark web. One cannot simply delete or change their birthdate or social security numbers. Stolen patient health records can fetch as much as $363 per record, according to data from the Ponemon Institute, which is more than any other piece of data from any other industry.

There have been more than 270 public disclosures of large health data breaches. "These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links," said Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas. While stolen credit card numbers tend to be sold for a few dollars or even quarters, a set of Medicare ID numbers for 10 beneficiaries found online by Greg Virign, CEO of the security company RedJack, was being sold for 22 bitcoins, or about $4,700.

These records are used for identity theft and can be classified as following:

  • Credentials: Name, date of birth, contract or group number, type of insurance plan, deductible and co-pay formation, insurer contact information for claims and customer service. Another $20 each is available for associated dental, vision, or chiropractic plans.
  • Complete electronic dossier or Fullz: An electronic dossier of credentials for an individual compiled and packaged with other Personally Identifiable Information (PII). Fullz are worth more because they take time to compile but facilitate the identify theft process for the black market purchaser. They may include everything in the credentials package above plus address, phone numbers, email address with password, social security number or employer ID number, bank account information, online banking credentials, and credit card information.
  • Finished kit of phony ID and credential documents or Kitz: Includes custom-manufactured physical credentials and documentation related to the identity information from Fullz. It becomes a complete identity theft kit and may include fake versions of the victim's insurance card, social security card, driver's license and credit cards.

Hacking is not the only means through which medical information are compromised, sometimes healthcare workers steal data, while in other cases, friends or family members use a person's health insurance information to obtain fraudulent or fake medical claims.

Under estimating the healthcare data security

Many healthcare organizations do not perform encryption of records within the internal networks. They also do not use encryption of data at rest and transit. This interest the hackers since the attack surface area is very huge. Health insurance information can be used to purchase drugs or medical equipment, which are then resold illegally, or even to get medical care. The latter can have consequences that go far beyond the financial.

Ken Westin, security analyst at Tripwire said, "In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that will be coming at them. It's no surprise that several organizations have been targeted and compromised. Vulnerabilities that are endemic within an industry through common tools, frameworks, data storage/sharing methods or business processes." Maybe the wrong assumption that the hackers are only interested in financial data and perimeter firewalls would stop any kind of external attacks. Such wrong assumptions by healthcare organizations result in absence of application security and encryption of data. The Health Insurance Portability and Accountability Act (HIPAA) addresses a number of patient privacy issues but doesn't require encryption of people's data.

Why is Patient Health Information (PHI) considered more valuable than financial data?

In the world of black market, medical information has a higher value than a credit card information. One reason medical data is coveted by thieves is that it has more lasting value than other types of information. Once the bad guys get their hands on it, it's difficult for the victim to do anything to protect themselves. While a stolen credit card can be cancelled and fraudulent charges disputed, the process for resolving medical ID theft is not as straightforward.

Hospitals and insurers usually don't have a clear process for fixing errors on someone's health record or for helping patients cope with the other consequences of identity theft. "Unlike credit card numbers, healthcare information is non recoverable, and potentially lethal in the wrong hands" Robert Hansen, the vice president of WhiteHat Security, told the Christian Science Monitor. Banks have stepped up their online security in the recent years by incorporating better secure transactions and transfers while many health insurers and hospitals have not taken security seriously.

Twenty-one percent of doctors said they believed their cybersecurity was below average, while 8 percent of IT workers and administrators had the same view. A Ponemon Institute report indicates cyber criminals have increased their attacks on healthcare 125 percent, costing the industry $6 billion annually. Recently UCLA Health System data breach affected 4.5 million patients. The unusual activity was detected on October 2014 and an investigation from FBI confirmed a hack on 5th of May 2015. The exfiltrated servers contained names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures. "Despite these painful lessons, it seems that personal data compromised in the latest breach were still not encrypted," said Igor Baikalov, chief scientist at Securonix, a data security firm in Los Angeles.

Regulatory compliance program for Electronic Health Records (EHR)

A regulatory compliance program requires some level of central coordination. It supports gathering controls and testing information, developing a common set of control objectives, and coordinating efforts to meet multiple regulations. Typically, a new or updated regulation or other requirements (such as PCI compliance) are followed by new corporate and departmental policies and procedures. Eventually, these policy and procedure documents begin to overlap, resulting in redundancies such as a HIPAA policy and a separate PCI policy that address the same controls and requirements, increasing complexity and confusion. It is more practical to create one Access Control Policy or one Password Management Policy, for example, that meets both HIPAA and PCI requirements.

Electronic health record systems are designed to store data accurately and to capture the state of a patient across time. It eliminates the need to track down a patient's previous paper medical records and assists in ensuring data is accurate and legible. It can reduce risk of data replication, as there is only one modifiable file, which means the file is more likely up to date, and decreases risk of lost paperwork. Some organizations still look at compliance as a check-the-box, document-and-audit exercise. However, more mature organizations realize that they need to take a risk-based approach as a way to focus their resources on areas with the highest risks. We should also note that compliance may be a key focus of the healthcare industry, but that hasn't always translated into secure environments. The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for protecting PHI.

What do experts recommend?

Encrypting data isn't a 100 percent solution to the issue of data breaches. However, unencrypted data has been the major reason behind majority of healthcare data breaches. Proper cyber security controls and standards must be followed by healthcare sector. Security experts tell that application security has been neglected for a very long time by the healthcare industry. Each of the following recommendations should be implemented to enhance EHR security.

1. Application Security and Network Security

Hackers are finding out variety of methods for breaking into healthcare organization. The security administrators must implement server and device hardening. They should also check for application security related issue by performing manual and automated penetration tests on all applications. This includes applications hosted on external and internal networks. Following OWASP standards during software development would help in identifying missing application security controls in the initial stages itself.

However, perimeter security like a firewall, intrusion detection systems etc. are used, experts recommend that they should adopt technologies that would find and mitigate vulnerabilities and reduce the attack surface area. That includes techniques such as segregating networks so that an intruder into one area doesn't have access to all the data stored throughout the organization. Data flows in and out of hospital's EMR and other systems in a variety of ways creating a variety of potential risks. The use and transfer of the data as well as when and where the data leaves the hospital. A risk assessment is a critical way to identify the risks associated with the data flow.

2. Multi-factor authentication

Like banks that send a text message to confirm unusual transactions, companies can also use out-of-band authentication. Anthem breach was identified when a user suspected unauthorized access. Implementing a second factor authentication via a separate channel like mobile phones would have saved them from the data breach.

3. Patch electronic medical devices

While many of the IT security threats healthcare organizations face also affect companies in other industries, providers have another risk, the threat of pacemakers, monitoring tools and other electronic medical devices being hacked.

One step healthcare IT departments must take: Keep the software on those devices patched and up to date to minimize their vulnerabilities.

4. Encrypt and protect portable devices

In the past few years, several data breaches have occurred because a portable computing or storage device containing protected health information was lost or stolen.

Encrypt all devices that might hold patient data, including laptops, smartphones, tablets and portable USB drives. In addition to providing encrypted devices for employees, it's important to have a strict policy against carrying data on an unencrypted personal device.

The security of mobile devices can also be compromised by loss and theft. It's nearly impossible to ensure a device won't fall into the wrong hands. Healthcare organizations must take precautionary steps to protect data in the event that a device goes missing. Some methods to accomplish this include remote wiping and locking, as well as tracking the device through GPS to locate and recover it.

5. Implement least privilege

This means only users with appropriate authorizations can gain access to protected data on mobile devices, and only IT has adequate tools to audit and manage all users' permissions. Users don't need access to the same type or amount of information that administrators might need access to in order to do their daily jobs. Limit the amount of access, and challenge users with two-factor authentication for certain transactions or requests for sensitive data.

6. Remove unnecessary data

One lesson many data breach victims have learned: The more data that's held by an organization, the more there is for criminals to steal. Organizations should have a policy mandating the deletion of patient and other information that's no longer needed.

In addition, it pays to regularly audit the information that's being stored, so the organization knows what's there and can identify what may be deleted.

7. Data breach response plan

It's unlikely an organization will ever be able to prevent every possible IT security incident. That's why it's critical to develop a plan of action for when a breach does occur. Healthcare organizations should not just try to protect data but also should implement incident response plan when a hack has been identified.

Whether due to negligence or malicious actions, employees are often involved in healthcare data breaches. So employee awareness and incident response training must be implemented. Electronic health records specialists also provide remote storage and data backup systems. While this may not necessarily present as strong of a defense against hackers and data breaches as data encryption, it provides security for healthcare organizations against the potential of software failures or natural disasters that could destroy or damage files.


The bad guys are behind the healthcare data and are interested in selling them at the black market. In addition, the amount of increase in healthcare data breaches indicate that our medical industry must adopt cyber security measures and standards to identify, detect and prevent vulnerabilities. Nearly 90% of health IT professionals say that cybersecurity has become a higher business priority for their organization over the past year, and about 67% said their organization experienced a "significant security incident in the recent past," according to a survey released recently by the Healthcare Information and Management Systems Society, MedCity News reports.


Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Ashiq JA
Ashiq JA

Ashiq JA is a Cyber Security Researcher and Writer passionate about Web Application Security, Security research using Machine Learning and Big Data, Deep web, technologies and Threat Analysis. He is currently working as a Security Consultant. He believes in knowledge sharing as the best source for information security awareness. Follow Ashiq JA on Twitter @AshiqJA to get the latest updates on infosec.