Why Medical Records are Frequent Targets of Cyber Criminals?

Cybercriminals extensively target the healthcare industry in order to access healthcare networks for a variety of nefarious uses. Why are healthcare records remarkably valuable to criminals?

Hackers do a lot to gain access to healthcare networks. The breach reports sent to the HHS Office for Civil Rights (OCR) indicate the increasing number of data breaches every year. There were 714 data breaches involving 500 and up records submitted to the OCR in 2021. It is 11% higher compared to the past year. About 75% of the data breaches were categorized as hacking/IT incidents.

Healthcare organizations, particularly healthcare providers, are appealing targets for cyber criminals because they keep massive amounts of important patient information. Big health systems keep millions of patient files and even fairly small healthcare providers keep the files of thousands and thousands of patients. The saved information is extremely detailed, which includes demographic information, Social Security numbers, financial data, medical insurance data, and medical and clinical information, and that data may be quickly monetized.

How Cyber Criminals Earn Cash from Stolen Medical Information

Healthcare information is very important since it may be utilized to do various crimes. Social Security numbers, birth dates, and demographic information of victims may be employed for identity theft to acquire loans and credit cards. Healthcare information may be used to imitate patients to acquire costly healthcare services, Medicaid and Medicare benefits, healthcare devices, and prescribed drugs. Healthcare information additionally consists of the required data to permit the filing of fraudulent tax returns to get rebates.

Unlike credit card numbers and other financial data, healthcare information has an unbelievably long lifespan and may frequently be taken advantage of for a long time undiscovered. Credit card firms keep track of fraud and quickly block cards and accounts upon detection of suspicious activity. However, improper use of healthcare information is more difficult to spot and could be misused in several ways prior to detecting any malicious activity. At that time, criminals could incur substantial debts – much more than is typically possible with ripped-off credit card data.

Stolen information could be employed to develop persuasive spear phishing, vishing, and smishing campaigns, in which the attacker imitates a hospital or medical insurance provider. Medical records consist of very sensitive data regarding health conditions, abortions, pregnancies, and sexual health assessments, and that data could easily be employed for blackmail and extortion.

Patient information stolen from healthcare companies is frequently processed and packed with other illegally acquired information to produce full record sets (fullz) with substantial data about people, frequently in personal detail. These complete record sets are usually offered on dark websites to other scammers who make use of the information to acquire records like Social Security cards, passports, and driver’s license numbers. The documentation enables the creation of an identity kit, which could then be marketed for substantial profit to identity thieves as well as other criminals to assist a huge variety of criminal actions.

Healthcare Information May be Used as Leverage

A lot of the hacking incidents that healthcare providers currently report involve ransomware. Ransomware is employed for encrypting files and preventing access, with the goal of creating massive interruptions to business functions. Confronted with an inability to function, businesses are compelled to pay the hackers to get the decryption keys. With no access to important systems, and particularly when health records are encrypted, the safety of patients is put in danger. Attacks on healthcare companies are consequently more prone to see ransom payments compared to attacks on other industries which are less dependent on information, which is why a lot of ransomware groups attack the healthcare sector.

These attacks block access to information, however, it is possible to recover it from backup copies. So, the Maze ransomware group began exfiltrating files prior to encrypting them and using the stolen information to compel victims to give ransom payments. The victims are threatened to publicize or sell the information when payment was not given.

Even though data is recoverable from backups, a lot of healthcare companies were forced to pay to avoid patient data misuse. This strategy has become so effective that numerous cybercriminal groups today no longer encrypt and merely kidnap information. It’s quicker, attacks are less probable to be discovered, and the effort needed is much lesser, enabling the attack of more healthcare companies. There may be no danger of data loss, however, the resulting damage to reputation from patient data exposure can be considerable.

Healthcare Companies are Easy to Target

Healthcare companies retain massive amounts of high-value information and they are frequently effortless attacks. The IT settings of healthcare companies tend to be complicated and hard to secure. Devices and software programs are still used even after reaching end-of-life since upgrading is expensive and quite often problematic. A lot of healthcare companies utilize programs that were created to work on particular operating systems and can’t be moved to the supported OS when obsolete.

Many connected devices are utilized in hospitals. According to IBM’s research, an average of 10 to 15 devices are utilized for each hospital bed, and so the number of medical and IoT devices increases at a significant rate. Monitoring those devices and making sure they are secured and updated is a big concern. Protecting medical and IoT devices could also be tough because many devices were not created with security plans.

Healthcare specialists need quick access to patient information. Members of the patient care team are usually located in different areas, therefore remote access is necessary, which presents additional risks. Healthcare settings are busy, and staff is usually overstretched, which unavoidably leads to human vulnerabilities that can be quickly taken advantage of. The healthcare sector is very vulnerable to phishing attacks because of busy working conditions, overstretched employees, and not having standard security awareness training. A MediaPro study in 2021 revealed that 72% of 850 healthcare employees are rated as a security threat, with just 28% showing they got the skills to identify and prevent phishing attacks.

Additionally, lots of healthcare companies continue to be seriously dependent on traditional security options, like network and endpoint technologies that aren’t efficient at protecting IoT devices and cloud infrastructure.

How to Make Healthcare Cybersecurity Better

Phishing, malware, and ransomware attacks on the healthcare sector are unlikely to stop, thus healthcare companies must improve their security and reinforce their cyber posture to stop cyber actors from succeeding.

There must be a detailed risk analysis to spot all threats to the integrity, availability, and confidentiality of ePHI. OCR must conduct audits and investigations frequently to discover downfalls with risk analyses. Healthcare companies must ensure to determine all locations of ePHI in systems and devices, and perform an organization-wide risk analysis and deal with the identified risks promptly.

The following cybersecurity guidelines must be implemented:

  • doing regular vulnerability scans
  • prompt patching
  • backing up information
  • doing network segmentation
  • creating and keeping a log of all devices linked to the networks
  • implementing multi-factor authentication for efficient access controls

Employees must have regular security awareness training to improve their security posture. The training on awareness of phishing and other types of attack targeting employees should be supported by phishing simulations.

Considering the quickly changing threat landscape and the issues of protecting the attack surface, the implementation of zero-trust architectures by healthcare organizations is a must to secure systems and information in case threat actors become successful in breaking down perimeter defenses.

About Christine Garcia 1200 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA