How valuable is personal healthcare data?

Apparently it depends. Based on at least some price comparisons on the Dark Web – the underground online marketplace for cyber criminals – electronic health records (EHR) are not even close to premium goods.

McAfee, now a division of Intel Security, reported recently that the price for an individual medical record ranges from a fraction of a cent to $2.50, while a so-called “fullz” record – name, Social Security number plus financial account information from a credit or debit card can fetch $14 to $25.

But, other experts say medical records have enormous value, for a variety of reasons – mostly financial but sometimes political or personal – and retains its value for a long time.

“Medical data is very rich information,” said Axel Wirth, healthcare solutions architect at Symantec. “Besides demographics – name, date of birth – it includes financial and account information, insurance and government identifiers, residency information, physical descriptors, next of kin, and potentially even photos. It is as much of a fullz as it gets.”

[ ALSO ON CSO: Security tips for the healthcare sector ]

Dan Berger, president of Redspin, agreed. He said he thinks the lower prices for health data are only for what he called, “the ‘quick-flip’ scenario.

“For more elaborate schemes, a healthcare record is likely to contain a much deeper set of demographics that can be used for identity theft and fraud,” he said.

A healthcare record is likely to contain a much deeper set of demographics that can be used for identity theft and fraud.

Redspin Dan Berger, president, Redspin

And the Identity Theft Resource Center (ITRC), in a recent blog post, said the low prices are simply a matter of supply and demand. “There is such an abundance of stolen medical information available on the Dark Web that the value of these complete records has been slashed to less than half of what they used to be worth,” the ITRC said.

Indeed, its potential uses are perhaps more varied than data stolen from any other industry sector. James Scott, cofounder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT), noted that it can be, “exploited for prescriptions, sold and resold, used for fraud or identity theft, and can be combined with other stolen data to generate holistic victim dossiers. In some less common instances it may be used for blackmail.”

To that, Wirth adds that the data can be used, “to establish a travel profile for government employees, based on vaccinations received, the sale of newsworthy medical incidents about celebrities and the use of medical data in legal disputes.”

Then there is the reality that much medical information – employment information, Social Security numbers, medical history, family members, physical descriptors – can’t be changed like a credit card account number. It is persistent, which means it is likely to retain its value for years, if not decades.

And one more thing: It is relatively easy to get. Healthcare organizations do pretty well at keeping their “customers” safe under their care. Unfortunately, they are not so good at keeping those customers’ personal data safe.

That weakness, widely known in the cyber criminal world, is one of the reasons healthcare organizations are such an attractive, and common, target, as multiple organizations have reported.

IBM called 2015 "the year of the health care breach," in its 2016 Cyber Security Intelligence Index.

The ITRC and IDT911 reported in April that while the medical sector ranked second to business in the percentage of breaches reported – 35.4 percent to 40 percent – it was far into first place for the number of records compromised – at more than 113 million, or 66.7% of the total.

David Finn, health IT officer at Symantec, said his firm’s Internet Security Threat Report for 2015 had similar findings – 39 percent of all breaches in 2015 were within health services. “Based on what we have seen on public notifications so far, we would, unfortunately, expect this trend to carry forward in 2016,” he said.

Based on what we have seen … we would, unfortunately, expect this trend to carry forward in 2016.

Symantec David Finn, health IT officer, Symantec

Actually, according to ITRC, things have improved this year. As of mid-December, while the raw number of breaches increased, the number of medical records exposed dropped dramatically, to about 15.4 million.

That is in significant measure because none of the breaches reported has come even close to the scale of several in 2105, including Anthem (78.8 million), Premera BlueCross (11 million), and Excellus BlueCross BlueShield (10 million). Those three accounted for nearly 90 percent of the total records compromised last year.

Still, the 15.4 million records compromised this year means a lot of lives seriously disrupted. Scott noted that this past June, “the script kiddie 'thedarkoverlord' offered 9.3 million healthcare records on TheRealDeal market on the Deep Web.”

Earlier that month, the same person had offered more than 1 million records from three different organizations – activities documented in an ICIT report in September titled, “Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims.”

Ted Harrington, executive partner at Independent Security Evaluators, added that the success of ransomware attacks against healthcare organizations means more criminals will be drawn to it. While ransomware is not necessarily aimed at stealing data, Harrington said attacks such as those against Medstar and Hollywood Presbyterian, “prove that it is a viable revenue channel for attackers.”

This is not likely to change soon. The reasons why healthcare data remains so accessible to cyber criminals are easily explained but difficult to address.

Security is a board-level, business issue; yet in most healthcare organizations it is delegated to a team or individual without direct audience to the CEO or board.

Independent Security Evaluators Ted Harrington, executive partner, Independent Security Evaluators

Berger noted that it is, “inherently difficult to safeguard. It is a real balancing act. Too many controls and you might prevent doctors from accessing information they need to treat a patient; too few controls and that same information could end up in the wrong hands.”

Scott sees the same conflict. He said the problem is a combination of, “a lack of cybersecurity, a lack of cyber-hygiene, and the value and utility of the data. Many medical professionals ignore basic cybersecurity precautions like encryption because it slows down their patient response time or because their resources are dedicated elsewhere.

“Healthcare entities also have a high number of nurses, doctors, and other users physically or remotely accessing sensitive data and systems, which inevitably leads to poor security and in some cases, insider threat,” he said.

Finn said another problem is how quickly the industry adopted Electronic Health Records (EHR), from less than 10 percent in 2009 to 97 percent in 2014. “Unfortunately, that rush of implementation left security behind,” he said.

Another problem: Even though annual national health care spending is a staggering $3.35 trillion, many organizations are using badly outdated equipment. According to McAfee, some medical workers are using systems with Windows 95. Microsoft discontinued support for that OS in 2001 – several lifetimes in the world of technology.

Harrington attributes that to security not being an investment priority, in part because, “there is insufficient executive buy-in and understanding of the security mission. Security is a board level, business issue; yet in most healthcare organizations it is delegated to a team or individual without direct audience to the CEO or board,” he said.

According to Scott, it sometimes simply comes down to the reality that it may be, “more cost effective for hospitals to operate outdated equipment and assume potential risk than to replace antiquated equipment.”

Wirth said that reality is complicated by interdependencies. In many cases, “a system upgrade would require a number of other costly software and hardware updates,” he said.

“A lot of medical systems and software are very specialized and are upgraded infrequently, especially medical devices, which have a long development cycle and a long, useful life in the hospital.

It makes no sense, he said, for a hospital, “to buy a new $500,000 MRI scanner just to replace the end-of-life operating system.”

Given those realities, experts say there are still basic cybersecurity “hygiene” steps organizations can and should take to guard patient data. Most of it comes down to what is recommended for any organization – good cyber hygiene and layered security. That includes:

- Awareness training: “By now, everyone has heard that, ‘people are the new perimeter in security,’” Berger said, “yet, in my opinion, most healthcare organizations still invest only a fraction of their IT budgets in security awareness training. Perhaps it’s time for cybersecurity to be elevated to the same risk management equivalence as health and safety.”

- Technology: Scott and others say the right technology solutions can, “detect insider threats, segment data according to identity and access, and automate cyber-hygiene.”

- Build security in: This will not happen quickly, but healthcare organizations need to start demanding that vendors of medical devices, “incorporate security-by-design throughout the development lifecycle,” Scott said.

- Know your assets: “Not just the hardware, but the software, too,” Finn said, “and most importantly, where your data is and how it is being used.”

- Think like an attacker

- Stay up to date with patches of hardware, software and operating systems.

“Cybersecurity is not a fad or a trend,” Scott said, “and the healthcare sector needs to recognize its need for dedicated information security personnel and to begin aggressively recruiting talented professionals capable of monitoring and responding to the hyper-evolving threat landscape.”