Medical Records are an Attractive Data Theft Target

While news about data breaches is growing disturbingly common, coverage is often focused on financial data – especially credit cards. An event with direct impact to a large group of victims makes for a popular news topic, of course. However, another major theft is gaining attention as well. Personal data – notably medical records – has become a very popular target for electronic theft. According to the Ponemon Institute, 1.3 million medical records were stolen in 2013. The recently-publicized Anthem breach may add a whopping 80 million to the total for 2014-2015.

There is no doubt that it’s an inconvenience to recover from a stolen credit card. Replacing the physical card and updating any automatic payments is becoming a common inconvenience. Frustrating, but not a lasting impact, or one that costs any real money or much time.

Medical records, on the other hand, are far more useful to criminals, and far more damaging to victims when stolen. The wealth of information they contain makes them ideal for a wide array of misdeeds. Many sales of stolen medical records are used simply to open credit accounts in the victims names. This is a quick, easy, and very successful way to extract monetary value from the information. Startlingly, it’s very lucrative to steal a child’s identity – and children make up a significant portion of medical records, whereas credit card data generally does not contain this prized class of records.

Another documented use of stolen medical records is for acquiring prescription drugs, medical devices like mobility scooters, and other goods in the victims’ names, which are then sold for real money on the gray or black markets. When an insurance provider contacts the victim to collect payment for the illegal purchases, the damage is already done – and the victim shoulders the responsibility to prove he or she didn’t actually (fraudulently) purchase the items.

What amplifies the attacks against medical record holders is the stolen data market itself. This market is governed by nearly pure supply-and-demand economics. Investigative reporter Brian Krebs discovered that some records go for $6.40 to $8 each in bulk, while NPR has found evidence of records selling for several hundreds of dollars each. Even at that wide of a spread, these prices are huge compared to the pennies or dollar that a stolen credit card fetches on the same dark markets.

This has led the savvier criminals to shift their theft operations from payment cards to medical records – they’re not stupid and will certainly go where the money is. The medical sector’s recent mandate to use electronic medical records has regrettably produced an industry transition that favors speed and compliance over a meaningful security program to protect this precious data. Also consider that many medical systems and devices tend to have older operating systems and are slow to receive patches. Obviously, such updates take on a whole new level of concern when you’re looking at a device that supplies insulin, anesthesia, or other highly dosed care. A dreaded “blue screen” due to a bad patch could have loss-of-life implications, making the “it works so don’t mess with it” strategy a common one with medical devices and equipment.

Even if your medical environment is well-defended, well-monitored, and handled by a crack team of information security professionals, you still operate in a highly targeted sector. It is inevitable that you’ll be attacked. Statistically, it’s no stretch to say that many will be successfully breached. For this reason, we feel a proper endpoint threat detection platform is a critical component to a “monitoring in depth” solution.

The endpoint is the last-served battleground in most security architectures. Antivirus is a mandated but ineffective component. Perimeter network visibility does not easily address insider threats, and lacks visibility into increasingly encrypted communications. The massive volume of endpoint evidence generated in a typical environment historically required a large team of trained analysts to address. Bit9 + Carbon Black has finally made that task more manageable. On the other hand, using that data proactively has been nothing short of a pipe dream – until now. Now Red Canary is uniquely poised to change this next stage of the game.

The information security landscape is rapidly evolving – and the healthcare industry is a key target for many different types of attacks. The industry as a whole is in dire need of a solution that can address dynamic threats in a dynamic environment – the endpoint is the key front on which we can make meaningful progress toward minimizing the impact of breaches, reversing decades of lost ground. If you aren’t addressing threats at the endpoint, can you really say you’re taking all necessary steps to protect your data?