[BreachExchange] To mitigate medical hacks, identify incentives for hackers

Audrey McNeil audrey at riskbasedsecurity.com
Tue Aug 16 19:26:01 EDT 2016


https://www.brookings.edu/2016/08/16/to-mitigate-medical-hacks-identify-
incentives-for-hackers/

Privacy breaches are extremely ubiquitous in the health care industry. Over
the last six years, medical data of more than 155 million Americans have
been potentially exposed through nearly 1,500 breach incidents. While there
are notable ongoing efforts among health care organizations to prevent
these incidents, the strategies to mitigate the consequences of privacy
breaches after they happen are entirely neglected.

A privacy breach is a risk that has two components: probability and
consequence. To effectively mitigate the risk, both of the components
should be curbed. That is, we should not only try to prevent the privacy
breaches, but also should have a plan to mitigate the negative consequences
of such breaches in case they happen.

Unlike health care organizations, the banking sector has mastered the art
of mitigating the consequences of privacy breaches. Immediately after the
breach of credit card data, all affected consumers are notified, their old
credit cards are frozen and new ones are issued. The process is so quick
and efficient that consumers often face considerably less harm from a
credit card data breach, especially because many credit card issuers now
provide fraud liability coverage to their consumers and insure them against
fraudulent charges.

On the other hand, the response of health care organizations to a data
breach only consists of panic, mandatory reporting, and in some cases,
provision of identity theft protection. Despite the fact that medical data
breaches can be disastrous for patients, health care organizations have no
viable strategy or technology to effectively reduce the negative
consequences of data breaches.

To mitigate the consequences of privacy incidents, we should first know
exactly how the breached data could be misused by hackers or unauthorized
users; to block a road, one should first know where the road is located.
Banks can often prevent hackers from using stolen credit card information
simply because they are better versed in how hackers monetize that data,
and thus have designed strategies to combat it. Despite the public concerns
over health care privacy breaches, we do not know exactly why hackers are
interested in stealing medical data or how exactly they monetize it.

In many cases, hackers aren’t really after health care data; they want
patients’ credit card information, which due to poor information technology
practices, is stored on the same network as many patients’ health records.
Hacking the financial part of the data also opens the door to medical data.

In other cases, hackers want the medical data of one or a few individuals.
As soon as a celebrity is admitted to a hospital, the hacking attacks on
the specific hospital skyrocket. Many people are interested in such data
and are willing to pay top dollar for it, which creates a strong financial
incentive for hackers to try to steal the celebrity’s medical records.

While it is very easy to follow the money and figure out why hackers may be
interested in getting their hands on the medical records of a celebrity or
other specific individuals to commit insurance fraud, it is very difficult
to imagine how a criminal organization may be able to monetize the medical
data of say 655,000 Americans. There is still even a great deal of
confusion about the value of stolen medical data in the black market as the
range of reported value for one record of stolen data varies from under $1
to almost $500.

The first step to overcome this limitation and better protect patients’
privacy is to identify the incentives behind hacking attacks and classify
all the possible ways through which the stolen medical data could be
misused. Independent research institutes are uniquely situated to solicit
the experiences of patients who have been the victim of medical data
breaches and uncover the different ways through which hackers monetized the
stolen data. The expertise and experience of law enforcement agencies such
as the FBI’s cybercrime division or the Health and Human Services’
inspector general can also shed considerable light on other ways through
which criminal organizations use stolen medical data to commit fraud.

We still have much to learn about why hackers go after medical data and how
they monetize it. These government agencies could help us do just that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160816/00961f29/attachment.html>


More information about the BreachExchange mailing list