Why is health and patient data so attractive to cyber criminals?
Health and patient-related data is not only amongst the most sensitive and personal information any individual holds, it is critical to his or her wellbeing when undergoing medical treatment.
Cyber criminals have recently found a ready market for stolen health and patient-related data. Consequently, they are increasing their focus on businesses that hold, manage or transfer these types of data across the entire health sector.
In particular criminals are targeting businesses including health insurers, hospitals, medical clinics and specialists, technology vendors that support health businesses, and any business with access to Medicare data. Medicare data is attractive as it combines both personal data and details about subsidised medical procedures individuals have accessed.
The criminals’ ‘business model’ is based on stealing, blocking access to, or threatening to corrupt this data.
Stolen health data is 10x more valuable than stolen credit card numbers
The stark reality is that health and patient data is more valuable to criminals than credit card and other banking or financial services details, according to American cyber crime consultancy PhishLabs. In fact, health and patient data is up to ten times more valuable.
This is because the intimate personal information it includes cannot be easily changed, unlike the details of credit cards, loans, deposits, or insurance policies held with banks or financial services firms. Therefore, the stolen data has a longer ‘shelf-life’ for the thieves who steal it and the parties they on-sell it to.
This intimate personal information includes:
- Personal identity data;
- Family relationships;
- Insurance and/ or Medicare data;
- ‘Live’ patient monitoring data from devices such as heart rate monitors;
- ‘Live’ data from implanted devices such as pacemakers and insulin pumps; and
- Medications.
When this data is stolen, or when threats are made to corrupt the data from monitoring devices or deliberately cause implanted devices to malfunction, lives can be put in danger. Consequently, when confronted with such situations many leaders have yielded to large ransom or blackmail demands.
For example, Telstra reported in its 2019 Security Report that fully half of Australian businesses who responded to their survey had paid criminals to regain access to encrypted files. The report also found that of the businesses that paid up, 23 per cent did not regain access to their data afterward.
Furthermore, when Medicare, private health insurance and payment details are combined with intimate personal information, it allows criminals to create fake identity documents and buy medical equipment or drugs that can be resold. It also creates the opportunity for false insurance claims to be made.
Health-related cyber crime rising
For the first three months of 2019, 131 criminal or malicious breaches of personal or confidential information held by businesses were reported to the Office of the Australian Information Commissioner (OAIC). Of these, 87 were the result of cyber criminal activities with 15 specifically affecting the health sector. And each individual breach has the potential to expose the details of hundreds, thousands, and in some cases millions of people.
Medicare details for sale on black market
The Guardian reported this month that Medicare card details continue to be sold illegally on the ‘dark web’ (the internet’s black market). The dark web Medicare Machine service that was selling those details two years ago has re-emerged as Medicare Madness. It offers the Medicare details of “any living Australian citizen” for as little as $US21. At the same time, other ‘dark web’ services offer fake Medicare cards for up to $US340.
Separately, the Australian Digital Health Agency reported that the Commonwealth Government’s My Health Record system suffered 42 breaches in 2018.
Health businesses remain under-prepared for cyber risks
While the growing attractiveness of health and patient data is contributing to an increase in the risk of cyber attacks on health businesses, many remain under-prepared.
Staff at numerous medical practices, pathology services, hospitals and insurers continue to exchange unprotected spreadsheets containing confidential health and patient data. Health businesses continue to run out-of-date software. Numerous medical devices do not have their software updated regularly by their vendors or the medical services using them. Many devices also continue to exchange unencrypted data with hospital and medical practice systems.
This unpreparedness was reflected in the report released by the Victorian Auditor-General on 29 May which found the state’s public health system was still “highly vulnerable” to cyber attacks. The Auditor-General was able to “demonstrate the significant and present risk to the security of patient data and hospital services” by exploiting weaknesses which had been identified when a “better practice standard” for cyber security was developed for the health system. Trusted Impact is familiar with the detail of this standard and we were surprised that none of Victoria’s public health services had fully-implemented this standard since its creation in 2016.
Such technology practices offer a wealth of opportunities for cyber criminals to exploit.
Addressing the risks for health sector businesses
Health professionals often tell us “we understand the problem.” However as demonstrated above far too many easy ways to compromise health data continue to exist, and too many security vulnerabilities in medical technology have not been fixed. Awareness of the problem is not the same as being ‘informed,’ much less being ‘prepared.’
Cyber security is not just an “IT problem.” Businesses across the health sector need their leadership teams to set a tone and internal culture that prioritises the protection of health and patient data, as well as other confidential business information. They need to urgently move to being better informed of the threats they face, and prepared to minimise the risks of cyber attacks.
The trust their clients place in them both to improve their wellbeing and protect their intimate medical data, and the attractiveness to criminals of this data make it too critical to delay any further.
In the digital age, a security breach is inevitable - becoming a headline doesn’t need to be. Trusted Impact has helped many health organisations face these challenges. We can assist your business to analyse its risks, and put programs in place to ensure the confidentiality, integrity, and availability of health and patient data. For a confidential discussion, contact us.
See also
Medical devices and hospital management systems still vulnerable to cyber attacks
People Risk Manager | Trusted Workforce Solutions | PERSEC
6yAustralia’s Digital Health Agency: The former privacy commissioner Malcolm Crompton said of digital health records that they “will not be secure unless a widespread audit of every GP clinic in Australia is conducted. It may well be military-grade [security] on the central servers of the My Health Record system [but] it’s demonstrably not military grade for all of those 900,000 practitioners.” https://www.itnews.com.au/news/cyber-attacks-rise-in-australias-data-breach-numbers-499323
Transformational leader and influencer as: Company Director | Executive Leader | Strategic Digital Consultant | Executive Enterprise Architect
6yReally good piece Tom.
Strategic Thinker | Capability Development |Change leader in healthcare
6yWhat a brilliant thought leadership piece Tom! Happy to spruik you are on HISA's Cybersecurity CoP Steering Committee. Incredibly scary statistics you share - as recent as 2 days ago and in our own back yard.
Risk Management, Insurance and Resilience Professional
6yFood for thought especially following VAGO’s May 2019 audit on patient data security. Audited entities included DHHS and some Victorian hospitals, who all did not fare well in this audit with some concerning security gaps highlighted.