In a report prepared for the U.S. Senate, two security researchers detail why electronic healthcare records (EHR) are being stolen. According to Symantec’s April 2016 Internet Security Threat Report, healthcare was the most targeted and most valuable sector in 2015. EHR hacking has grown innumerably since then.
One entity, in particular, has been behind the majority of EHR compromised this year. The hacker(s) operates under the pseudonym TheDarkOverlord (TDO) and sells hacked medical data on TheRealDeal marketplace. These attacks started making headlines in late June when he released 655,000 records from three healthcare databases. TDO agreed to provide DeepDotWeb with exclusive images of databases from within the company’s internal network.
At the time of the DeepDotWeb exclusive, TDO had three listings on TheRealDeal marketplace, totalling 655,000 unique patient records. The listings were from three different healthcare companies in the US; Athens Orthopedic Clinic in Athens, GA; Midwest Orthopedic Pain and Spine in Farmington, Missouri; and the third was never identified beyond being in Oklahoma City. According to TDO, the third company paid the ransom and had the database removed from TheRealDeal.
Two days after the exclusive with DeepDotWeb, TDO published 9,300,000 patient records online. The records were listed for 750BTC and contained names, addresses, phone numbers, birth-dates, and SSNs. While some of the data was old or outdated, a security researcher reported on her blog that she had verified the data’s authenticity.
At the time of the “Health Insurance Database Listing,” 750BTC was equivalent to nearly $500,000.
The recent exploitation of EHR has led many to question the reasons behind the sudden surge in this sector.
Researchers from the Institute for Critical Infrastructure Technology (ICIT) attempted to explain this very question in a recent study. The study’s findings were titled Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims. On September 22, 2016,
James Scott and Drew Spaniel of ICIT—the co-authors of the paper—briefed the Senate on their findings.
The very root of the issue, they describe, is that medical records are incredibly susceptible to exploitation. An overwhelming number of acute care facilities and non-acute providers fail to encrypt data while in transit or at rest.
A section titled “Why Attacks Succeed” summarizes the issue:
Without encryption, the data in transit can be captured through eavesdropping, packet sniffing, or through other means and the data at rest is susceptible to theft of the device, to RATs and other malware on the machine, and to networked attacks. They also found that only 78 percent of acute care facilities and 90 percent of non acute providers had firewalls in place to guard their networks.
Scott says the hacked data will often remain underground for a significant period of time. The information, by itself, is only minimally useful in exploitation. Using the data to recreate a person’s identity is often the desired outcome and doing so takes time.
“So, it will look like basic short-form ID theft material, but eventually the electronic health record will surface as a ‘fullz’ – the slang term on the deep web [for] a complete long-form document [containing] of all the intricacies of a person’s health history, preferred pharmacy, literally everything,” he says.
The healthcare records will eventually start appearing on the deepweb for an average of $20 per individual. Those who are in it for the long run will then search different vendors for matching documentation. “They then proceed to have passports, drivers’ licenses, Social Security cards – all these things that will help the counterfeit imitation of the victim,” Scott says.
All documents required to build a full identity kit, including EHR, only end up costing around $120. A full identity kit can then be sold for $2,000. Major profit can be found in creating full identity kits, with EHR providing a cheap building block.
These ID kits go on to be used for a wide variety of criminal activities, according to the report. Scott tells GovInfoSecurity “illegal immigration, pedophilia and launching more attacks using social engineering” are some of the more common uses.
The report further covers malicious uses for stolen healthcare information:
These actors [hackers] covet patient’s electronic health records to sell to anonymous buyers or to use themselves to commit medical identity theft, perpetrate tax fraud, submit false claims, acquire controlled and prescription substances, create fake identities, extort patients, access government benefits, obtain medical devices or to be weaponized against the nation in espionage databases.
Researchers believe the usage of legacy technologies or poor data encryption by medical companies is making them an easy target. A patient does not control their EHR storage yet the patient bears the majority of the long term fallout. The rest of a victim’s life may be impacted.
In GovInfoSecurity’s interview, James Scott explains the purpose of the Senate presentation. He wanted to explain the challenges involved in tracking down the original sources of breached EHR on the deep web; to advise healthcare entities on preventing breaches; and to potentially help the federal government enforce the law to this extent.