We as an industry must demand greater protection of our medical data.
My Twitter timeline has just informed me of yet another company suffering from a data breach — this time only 43 million records. The reaction thus far has been limited to a collective shrug, just like we saw when news of the Yahoo breach came to light. While we in the security community will analyze and deliberate over the details behind the breach, the reality is that broader society — and indeed affected consumers — care more about the major character death in season 7 of the Walking Dead.
Sometimes, consumers do care, such as when a breach impacts their day to day activities. After the Target breach, for example, it was reported that credit card companies implemented additional fraud activity checks that resulted in false positives. Subsequently, holiday shoppers found that in some cases legitimate transactions were blocked, all of which were “pretty annoying.” However, the reality is that while we do indeed see headlines associated with breaches associated with payment cards — and a lukewarm response from affected users — “identity thieves have pulled off heists at 10 times the scale of credit card fraud by going after medical and tax records.”
These types of data sets are becoming increasingly valuable, and we are witnessing such a remarkably low awareness among wider society that an emerging economy actually exists. When we began this research project, we had just concluded the publication of the “Hidden Data Economy,” a report intended to highlight the value criminals place on data. What was clearly missing in this research, however, was medical data, which of course resulted in questions being asked about whether underground marketplaces do indeed value such data sets. As a result, we went about seeking the sale of this type of data to confirm whether the healthcare sector is indeed being targeted. We knew from research that ransomware campaigns were specifically targeting this sector, but did that include data exfiltration as well as ransom?
We didn’t have to look very hard, to be entirely honest. Almost immediately we were being offered huge data sets from the healthcare sector.
In fact, as we delved deeper we even saw details of the ecosystem that resulted in such breaches. One particular individual detailed that they had purchased an exploit that allowed them to gain access to a database within the healthcare sector.
What followed was a discussion about pricing, and of course congratulatory messages to the cybercriminal that they were now in the money. Such interactions demonstrated the vulnerabilities of the healthcare sector, but moreover the value that criminals place in medical data. Such attacks are not limited to healthcare organizations; a recent Federal Times article highlighted that the FDA was also targeted. An article titled “Why Hack the FDA” pointed out that “the FDA reported 1,036 security incidents between January 2013 and June 2015.”
This article and a recent McAfee Labs report titled “Health Warning” demonstrate that bubbling just under the sea of stories of mega breaches is the fact that our medical data is not only valued but targeted by criminals looking to make money from our misfortune. Such data is non-perishable, and unlike credit cards there are no concerns about things such as validity rates.
We have no desire to spread fear about the state of the “Second Economy,” but the level of apathy is allowing almost free reign for criminals to compromise organizations for their own greed. We must demand greater protection of our medical data. The impact of such breaches may not be felt as quickly as credit card fraud, but be under no illusion: Identity theft from medical data will last longer and will be more painful to resolve.
Raj has previously worked as the Chief Information Security Officer for a large public sector organization in the UK. He volunteers as the Cloud Security Alliance EMEA Strategy Advisor, is on the advisory councils for Infosecurity Europe, and Infosecurity Magazine. In … View Full Bio