Hospitals are often the target for ransomware attacks (see: Hospitals and Ransomware; How Should Hospitals Protect Themselves?). In a recent note, I discussed a software product that could theoretically help to protect hospitals from this threat (see: Israeli Software Designed to Protect Hospital Data from Ransomware). It has been suggested by a cybersecurity think tank in a recent article that "some 47%" on Americans have had their medical records hacked in the last year (see: On The Dark Web, Medical Records Are A Hot Commodity). Below is an excerpt from that article:
More than 113 million medical records were hacked in 2015 alone....A newly released report from the Institute for Critical Infrastructure Technology, a cybersecurity think tank, found that some 47% of Americans have had their medical record hacked in the past 12 months....But why are medical records now such a hot commodity for hackers and thieves?....On the dark web, medical records draw a far higher price than credit cards. Hackers are well aware that it's simple enough to cancel a credit card, but to change a social security number is no easy feat. Banks have taken some major steps to crack down on identity theft. But hospitals, which have only transitioned en masse from paper-based to digital systems in the past decade, have far fewer security protections in place. On the dark web, complete medical records typically contain an individual's name, birthdate, social security number, and medical information. These records can sell for as much as (the bitcoin equivalent) of $60 apiece, whereas social security numbers are a mere $15. Stolen credit cards sell for just $1 to $3....[T]hese medical records can be leveraged for a wide variety of nefarious purposes. In some cases, it's about stealing a person's identity and billing them for a surgery or a prescription, and in others it's about opening a new line of credit....Moreover, important information on the patient's medical record will often be deleted, like an allergy to penicillin, or new entries added. In some cases, it's intentional. But it's more often a by-product of the theft.
It appears to me that hospital and healthcare information systems are particularly vulnerable to ransomware and hacking. As I discussed in a previous note about phishing (see: Hospitals and Ransomware; How Should Hospitals Protect Themselves?, part of this vulnerability is attributable to the large number of hospital personnel with access to health records, many of whom may not be that sophisticated about IT. I am not sure if healthcare systems differ from other those in other industries in terms of vulnerabiliy. At the very least, I think that hackers believe that this is the case.
The article under discussion here indicates that stolen health records are of greater monetary value on the dark web than other records in the sense that the stolen information can be "leveraged" for extra illegal gains. One such strategy is apparently to determine that a patient has some balance on his or her hospital account and then falsely bill the individual for it. At the very least, this same approach would be a means to illegally coax a credit card number from the person. The conclusion that I draw from all of this is that the healthcare industry has a long way to go in terms of making hospital systems immune from hackers and viruses. This means spending more money and hiring the best talent to protect the systems.