Electronic health records (EHR) theft is the new “low-hanging fruit,” meaning the bad guys are having a field day stealing EHR databases. For example, Zack Whittaker in a June 2016 ZDNet post writes, “A hacker who claims to have obtained more than ten million health records is selling the data to the highest bidder on the dark web.”
However, several experts, including Francois Paget, Charles McFarland, and Raj Samani of Intel Security, noticed something while they were compiling data for their 2015 paper The Hidden Data Economy (PDF): No one knows what’s being done with the stolen EHR data dumps.
McFarland and Samani, along with researcher Christiaan Beek, decided to see if they could find what’s happening to the stolen EHR databases. Less than a year later, the Intel researchers published Health Warning: Cyberattacks are targeting the health care industry (PDF), providing information on how EHR databases are being stolen, how they are sold, and offering some ideas on how the EHR data dumps are being used.
Before getting to the paper’s findings, Beek, McFarland, and Samani offer a disclaimer. “We must make one thing clear: It is not our intention to stir up fear,” write the authors. “Rather, our aim is to document the threat landscape so that healthcare organizations can take action.”
As to why fear comes into play, the researchers mention that records of a person’s health simply cannot be changed in a fashion similar to canceling stolen credit/debit cards. “Indeed, the nonperishable nature of medical records makes them particularly valuable,” mention Beek, McFarland, and Samani. “Because the ability to reduce the impact of a medical data breach is significantly diminished, we must do all we can to reduce the likelihood of successful attacks.”
SEE: Identity Theft Protection Policy (Tech Pro Research)
As with other cybercrimes, stealing EHR databases no longer requires technical proficiency. The researchers offered evidence that vulnerabilities are actively being sold, and “compromise-as-a-service” is a thriving business. The researchers write, “To put this in perspective, a relatively nontechnically-proficient cyber thief buys tools to exploit a vulnerable organization, uses them with a little free technical support, and then extracts 1,000 records that could net him about 15,564 dollars.”
If that’s still too complicated for would-be criminals, the researchers add, “Rather than ‘buying the RDP,’ the attacker could simply have acquired an active account belonging to a health care organization.”
SEE: Electronic health records: The smart person’s guide (TechRepublic)
Are EHRs really for sale?
Next, the research team verified that EHRs were, in fact, for sale. Beek, McFarland, and Samani write, “Quickly, we discovered dark web vendors offering for sale huge data dumps of stolen medical data. In some instances, its availability was highly publicized.”
Figure A is one seller’s website offering a database containing almost 400,000 EHRs. The database includes names, addresses, and data about the patient’s health care provider.
Hiding in plain sight
It is apparent that cybercriminals are not timid. Sellers are unafraid to advertise stolen EHR databases on social-media outlets, as shown in the tweet by TheDarkOverlord in Figure B.
Twitter has removed the above tweet, but it is a digital “whack-a-mole” game as sellers quickly open new accounts using different credentials or advertising a different EHR data dump.
But is anyone buying?
It is clear records are being stolen and offered throughout the Dark Web, but is anyone buying, and if so how are the records being used? Regarding data-dump purchases, the researchers offer as proof review websites, similar to the one shown in Figure C, that rate sellers of stolen data.
“The seller appears to be active, with 100% positive feedback from 15 interactions to date,” note Beek, McFarland, and Samani. “These positive reviews were likely gained as a seller, as the recent feedback clearly indicates.”
SEE: Gallery: The top 10 Dark Web search engines (TechRepublic)
A troublesome issue
Even after all their research, Beek, McFarland, and Samani are troubled by the lack of evidence regarding the motivation of the cybercriminals buying EHRs. “With payment card information we have documented that stolen card numbers are used to conduct fraud against the victims,” write the researchers. “At present, however, we have not identified specific uses for bulk data purchases of medical data.”
The research team members vow to continue looking into the theft of EHRs, saying it deserves significant attention. If their track record is any indication, there should be no doubt that the trio will eventually find what buyers of stolen EHR databases intend to do with their purchases.