The price of electronic healthcare records is dropping on the dark web. That reality, in turn, appears to be setting cybercriminals on course to launch even more ransomware attacks.
Currently, the cost of a health record ranges from $20 to $50 on the black market and that’s down down from just last year, where records could garner $75 to $100, according to James Scott, senior fellow at the Institute for Critical Infrastructure Technology.
“The price is down,” Scott said, “which means the volume of availability is exceeding demand.”
[EHRs getting better? Readers rank vendors higher than last year in new survey]
In response, there’s been an evolution of how EHR data is sold, according to a recent ICIT report on the dark web and EHRs. Directly after a breach, hackers sell only general information. But a few months later - after the dust has settled - full, long-form records hit the market.
There are many ways this information can be packaged and sold. Hackers create full-ID kits from EHR information and supporting documents, such as utility bills or insurance information. Combined with the EHR information, these complete records rake in between $100 and $500. Stealing one piece of information is no longer enough to make money.
“You can simply own a victim if you know how to do it,” Scott explained.
Pam Dixon, founder and executive director of World Privacy Forum, prices a complete EHR record at an average of $50 each, a rate she agreed has gone down because health data is easier for cybercriminals to steal.
The influx of EHRs will eventually lead to an increase in ransomware attacks and proficiencies, as cybercriminals look for ways to continue making money from the healthcare industry.
“There’s been a long trend of identity theft, and that’s still going to be a predominant threat as healthcare files become less profitable over time,” Dixon said. “What will likely happen is the hideous problem of ransomware will crop up. Cybercriminals will shut down the system to make money.”
Healthcare executives need to get ahead of this, right now the math is showing it’s not a good place for the healthcare system, Dixon explained. And data security can’t be one-size-fits all. There are a lot of structural issues that need to be addressed to prepare for what lies ahead in cyberattacks.
“At the point in time when the bad guys get so good, you need to get even better,” Dixon said. “There is a very slim amount of time and opportunity to get ahead of this ransomware trend. It hasn’t taken full root yet, based on what the Department of Justice is saying about security trends. I have a strong suspicion it’s going to be in the cards.”
Learn more at the Privacy & Security Forum in Boston, Dec. 5-7, 2016.
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ A CISO, consultant and infosec vendor nail down cybersecurity best practice lists
⇒ Think offshoring PHI is safe? You may not be covered if a business associate breaches data