While stolen financial data still has a higher market value than stolen medical records, as financial data can be monetized faster, there are indications that there is ongoing development of a market for stolen medical data, according to an Intel Security McAfee Labs report. And, the report authors conclude that cybercriminals are increasingly devoting time and resources to exploit and monetize stolen medical records.
The Intel Security McAfee Labs “Health Warning” report assesses the marketplace for stolen medical records and examines the motivations for its theft, while also comparing it with the marketplace for stolen financial services data. The Intel Security research asserts that the development of the market for stolen data and related hacking skills indicate that the “business of cybercrime” in the health care sector is growing.
“The nonperishable nature of medical records makes them particularly valuable. Because the ability to reduce the impact of a medical data breach is significantly diminished, we must do all we can to reduce the likelihood of successful attacks. The first step in this process is to understand the threat,” the report author, Raj Samani, CTO of Intel Security for Europe, the Middle East, and Africa, wrote.
The report authors also concluded, however, that one troublesome issue with researching the market for stolen medical data is the lack of evidence pointing to the motivation behind acquiring stolen medical data. “At present, we have not identified specific uses for bulk data purchases of medical data,” the report authors wrote.
“We can conclude that medical data across the health care sector is being stolen and sold. Not only is it being sold, but it is also openly advertised for sale. In certain cases, the seller even boasts of the compromise using social media,” the report authors wrote.
The researchers found that the price per record for stolen patient medical records remains lower than financial account records and retail payment account information, despite the increasingly time-sensitive, or perishable, nature of data such as credit and debit card numbers. McAfee Labs finds stolen medical records available for sale from $0.03 to $2.42 per record, while comparable stolen financial account records available for $14.00 to $25.00 and credit and debit card account data available for $4.00 to $5.00 per account record.
The findings suggest financial account data continues to be easier to monetize than personal medical data, which could require an investment that financial payment data does not require. Upon stealing a cache of medical records, it is likely cybercriminals must analyze the data, and perhaps cross-reference it with data from other sources before lucrative fraud, theft, extortion, or blackmail opportunities can be identified. Financial data, therefore, still presents a faster, more attractive return-on-investment (ROI) opportunity for cybercriminals.
The “nonperishable” nature of PHI—as it can’t be changed or replaced like credit card numbers—has led to industry speculation that the price per medical record could soon rise to rival or even eclipse that of financial account or payment card data, according to the report authors, however, Intel Security’s 2016 research did not illustrate such price-point movement.
“Liquidity trumps longevity in the race to monetize stolen data,” Samani wrote. “If I steal a million credit or debit card numbers, I can quickly sell this digital merchandise before banks and retailers discover the theft and cancel these numbers. Alternatively, a million medical records contain a rich cache of permanent PHI and personal histories, but such data requires a greater investment of time and resources to exploit and monetize it.”
Research also indicates that some sellers have taken advantage of parallel markets to increase their profits as one user on an underground market sold 40,000 medical records for $500 but specifically removed the financial data and sold it separately, the report authors wrote. Financial data can also be sold in individual records or in bulk, while medical data appears to be sold only in bulk at this time, which reduces the per-record price to something near the wholesale prices of cards, according to the report.
“The stolen medical data still appears to be taking shape, but the current ecosystem already has a higher per-record value than in markets of nonfinancial account data. Is medical data worth more? It seems to be worth something between traditional database dumps and payment card data. If the medical data contains financial data, it appears to be more profitable to sell them separately rather than together,” the report authors wrote.
Cybercrime-as-a-service, in which components of a cyberattack are outsourced, has become a well-publicized business model and increasingly a cybercrime-as-a-service economy is developing specifically around healthcare industry data. Researchers found evidence of the purchase and rental of exploits and exploit kits to enable the system compromises behind health care data breaches. The researchers also observed efforts by cybercriminals, through online ads and social media, to recruit into their ranks health care industry insiders with access to valuable information.
According to the report, the most lucrative cybercrime targeting health care industry data is pharmaceutical and biotech intellectual property.
The report also took a deep dive into examples of cybercriminals stealing and selling medical data. According to the report authors, prior research about the marketplace for stolen data, documented in the report “The Hidden Data Economy,” indicated, at least initially, an absence of medical data for sale. Upon further research, investigators discovered “dark web vendors offering for sale huge data dumps of stolen medical data, and the report authors noted that, in some instances, its availability was highly publicized.
As one example, one seller offered for sale a database containing the personal medical data of 397,000 patients, as shown in a screen shot published in the report, while another screen shot from the seller details what was included in the data dup—not only names and addresses of patients, but also data about their health care insurance providers, both primary and secondary, as well as other data that may be of value to would-be buyers, according to the report authors.
And, the report authors noted that the cost of such records is remarkable; “compared with other data dumps, the price for medical data is considerably higher.”
The example that the report authors used was, in fact, a highly publicized hack of three separate healthcare databases as initially reported by news site DeepDotWeb and the hacker then sold the patient records on the dark web. As also reported by DeepDotWeb, the report authors note that the seller provided evidence of access to the breached organizations in the form of a screen shot indicating the exploitation of a vulnerability in the remote desktop protocol. Citing an interview that the seller gave to Motherboard, the seller was apparently well rewarded for the time spent. According to the report authors, the seller explained that this effort has netted $100,000 thus far.
The report authors concluded that the research provides evidence of a clear threat to healthcare organizations and underscores the need for healthcare organization leaders to take proactive measures to protect medical data.
“When a well-developed community of cybercriminals targets a less prepared industry such as health care, organizations within that industry tend to play catch-up to protect against yesterday’s threats, and not those of today or tomorrow,” Samani wrote. “Gaining the upper hand in cybersecurity requires a rejection of conventional paradigms in favor of radical new thinking. Where health care organizations have relied on old playbooks, they must be newly unpredictable. Where they have hoarded information, industry players must become more collaborative. Where they have undervalued cyber defense overall, they must prioritize it. In the Second Economy, if you win the ‘time’ contest with attackers, you are in a position to preserve money and trust.”
