We read a lot about the value of medical records on the black market. Various reports have put the value of credentials for health-related sites at $10 – about 10 times the value of stolen credit cards numbers. Others have noted postings advertising stolen medical records in black market forums for the equivalent of hundreds of dollars each.
Nobody knows if those reports are accurate. (Experts have noted that trying to determine the shape of a market just by looking at sellers’ behavior is a fool’s errand.) What is clear is that medical data is of interest to hackers and cyber criminals.
But a panel at the South by Southwest event in Austin, Texas suggests just how varied and complex that market for stolen data is. Among other things, one healthcare CISO talked about how even information like chest x-rays have incredible value to sellers with access to the right market.
As this story covering the panel for IEEE Spectrum notes, even data like scans of patient X-rays have a monetary value to the right buyer. The story quotes John Halamka, the Chief Information Officer at Beth Israel Deaconess Hospital in Boston, describing an incident that occurred after a contractor accidentally connected an unpatched medical records server to the Internet in order to upload a new firmware version to the device. The technician went to lunch, leaving the system connected, only to return to a medical records system crawling with malware. A subsequent analysis found that some 2,000 patient x-ray images from the machine had been downloaded to a system located in China.
Why x-rays? Halamka said that images are resold to Chinese nationals with infectious lung diseases such as tuberculosis so that they can obtain visas to travel outside the country. “A clean lung x-ray is therefore a valuable commodity,” the article says.
Of course, x-rays are hardly the main target of malicious attacks on hospitals. Phishing e-mails targeting physicians and other staff are common. And recent news reports have noted a rash of ransomware infections hitting mostly small hospitals such as LA Presbyterian and Ottawa Hospital. In some cases, hospitals have been forced to pay ransoms to obtain access to their data.
Hacktivist attacks are also a danger, as Children’s Hospital in Boston learned when it became embroiled in a contentious and public dispute with the parents of a teenager who had been taken into protective custody by the hospital. The attack knocked Children’s as well as other, Harvard University-affiliated hospitals offline and affected patients access to care.
Hospitals and other medical facilities face a number of challenges. They are complex environments, comprising both traditional IT assets and specialized equipment and support systems tied to patient care. That equipment often runs out-of-date software, including older versions of Windows operating systems. Patching and other security measures are often not extended to these devices.
Beyond that, healthcare firms tend to have smaller budgets to support information security. Halamka noted that healthcare organizations typically spend only 2 percent of their budgets on information technology, with security accounting for 10 percent of that 2 percent. By comparison, financial services firms might spend upwards of 20 to 30 percent of their budget on technology.
Finally, what money exists is often allocated to compliance with regulations like HIPAA and HITECH that address patient privacy, but not overall security. A survey (PDF) of a dozen healthcare organizations conducted by the firm Independent Security Evaluators (ISE) found that they are ill prepared to fend off cyber attacks aimed at disrupting services or compromising patient health, despite – or possibly because of – an intense focus on protecting patient privacy.
The government has taken notice. In 2013, The U.S. Food and Drug Administration (FDA) issued guidance to medical device makers and hospitals that use their products to pay more attention to cyber security and the potential for cyber attacks on vulnerable medical instruments.
Check out my recent conversation with Digital Guardian’s Thomas Fischer where we talk about ransomware attacks on hospitals and other targets.
Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.
