The seedy underworld of medical data trafficking

A 'value pack' of 10 stolen Medicare numbers for sale
By Chris Bowen
08:53 AM
Share
illustration of locked devices

As more healthcare organizations are discovering to their woe, having direct access to patients' personal health information puts a giant target on their backs for cyber thieves that traffic in stolen medical records. Medical data breaches are increasing in frequency and scope, with millions of Americans now victims of medical identity theft. Who are the criminals behind this digital era crime wave?

IBM research shows that the vast majority of cybercrime is highly organized and generating unprecedented profits, noting that the largest bank heist in history was $30 million compared to the annual $445 billion cost of cybercrime. Solo cybercriminals are also out there, however. Trend Micro observes that these different classes of criminals also dwell in different forums, with petty thieves showing up in more easily accessed sites, and organized cyber thieves residing in closed forums of their own.

A foray into the online black market for stolen data — and other goods — is a surreal experience. With names like "DamageLab" and "Hell," many forums have the same features of legitimate online shopping sites, from "buy now" buttons to, in an ironic twist, rating systems that score a dealer's trustworthiness. The product descriptions, on the other hand, make it quickly apparent that the wares for sale are anything but legit. A recent NPR report described a dealer with exceptionally high marks who had a "value pack" of 10 stolen Medicare numbers for sale. The total pack could be had at a cost of 22 bitcoin (the preferred currency of many cyber criminals), which works out to about $4,700.

To understand why one Medicare number can sell for close to $500, consider that these records typically include names, birth dates, social security numbers, policy numbers and billing information that can be used for an equally exhaustive list of profitable activities. Using a valid Medicare number, thieves can open multiple credit lines, create fake IDs, and purchase medical equipment or pharmaceuticals that can be resold at a profit and defraud insurance companies. And unlike credit card fraud, which usually shows up within days and is quickly shut down, medical data theft can go undetected for months or even years.

That said, online security blogger and investigative journalist Brian Krebbs reported finding records for sale at the "Evolution Market" forum—which Krebbs described as a "black market bazaar" for everything from narcotics to stolen medical data—for the bargain basement price of $6.40 per record.
How do these transactions take place? It depends on the forum, but Trend Micro notes that at one popular site for credit card data, "the actual dealings go down via instant messenger applications such as Jabber or ICQ; payments are conducted via anonymous money transfers with providers such as Western Union, MoneyGram, WebMoney or Bitcoins."


With sharks clearly circling the perimeters, why is the healthcare industry such a reliable victim? The answer is that much of the IT infrastructure in the healthcare industry is aging and fragmented with inconsistent security—in short, a cyber crook's ideal target. But a "rip and replace" of all this infrastructure simply isn't feasible, even for healthcare providers that could easily afford it. Repelling data thieves takes continuous monitoring and multiple layers of security, all of which require resources most healthcare organizations don't and won't ever have.

The cloud managed services solution
Rather than take on the daunting work of making such a highly regulated, highly defended environment a core competency within their own IT departments, more healthcare organizations are partnering with cloud managed services vendors instead. The minimum features to seek in such a vendor include one with a strong healthcare-exclusive focus, proven HIPAA compliance, HITRUST certification, an onsite Chief Privacy and Security Officer with experience and credentials, documented security policies and procedures, including mandatory training, and layers upon layers of physical and infrastructure security.  

A note about this layered or "defense in depth" approach: the core premise is that given sufficient time and resources for an attack, at some point there will be a breach in the protection. But having layers of security—think of a castle with a moat, towers, outer walls, inner walls and a series of inner chambers—gives the defenders time to identify the breach, delay the attackers and ultimately repel the attack in order to keep the most valuable assets safe. It's a strategy that has obviously become necessary with today's determined cyber thieves in mind.

While this is rigorous criteria that could cancel out many cloud vendors, healthcare organizations will be best off finding one that not only meets but exceeds these qualifications. Hackers never, ever stop trying the locks and windows into a network with patient records in it. They're relentlessly determined to find a way in. The best defense is a cloud partner that is even more determined to prevent them.