Health and unSafety. Why is your medical data so valuable? 10 famous recent hackings to healthcare systems

Written by Alessio Mulas, Matteo Mauri, CNIT

In our recent post Which could be the consequences of a social engineering attack?, we talked about an attack against Hollywood Presbyterian Medical Center, describing the vulnerability of Hospitals while facing Social Engineering techniques; today we are going to talk about another similar case that shows, once again, how healthcare industry is a potential target for data hungry cyber criminals.

As NBC reported, on February 16th, Main Line Health (MLH) has become victim of a phishing attack that compromised personal information of nearly 11,000 employees.
MLH is a not-for-profit healthcare provider based on Philadelphia that operates on four acute care hospitals and other institutions.

The attack started with what appeared to be an email from a legitimate source received by a MLH employee. Just few days after the breach, MLH was informed of the incident following a national alert issued by IRS regarding a recent surge of this email scam.

This story unfolds in a quite common way: an attacker poses as a high ranking individual within the corporative ladder and sends an email asking for detailed information; the victim falls for the scam and replies providing the required information.

Despite both Hollywood and MLH attacks being aimed at the medical sector, they are quite different. In the first attack, a criminal gains illicit access to a system by exploiting human and technical weakness and then brazenly asks to pay a ransom. In the second attack the criminal uses a more subtle approach based on human weakness rather than on technical expertise and his goal doesn't seem to be money anymore but simple data.

 

The victim doesn't realize what is going on. Sense of duty, human weakness, and probably a lack of training in S.E. security, take their toll as the employee reply to the scam email.

Picture the attacker as he opens the attached file, a well organize collection of MLH employees W-2 forms containg a trove of precious data such as full name, address and other personal information.

What is the purpose behind stealing this kind of data? Is it a ransomware attack really that different from the one we're discussing today? People is seldom able to properly assign a correct value to data, especially personal data, and this is the reason that makes it hard for most of us to understand the reasons behind this kind of attack.

What is the value of data? Scientits, researchers and security experts don't agree on a fixed value but according to this Washington Post’s article, a complete health insurance credentials were worth 20$ in 2015 while this source states that according to a report by the Aberdeen Group, it costs about $500 per patient, depending on who is buying; finally according to Ponemon Institute a stolen patient health records can fetch as much as $363 per record.

In the MLH case, nearly 11,000 complete credential sets were stolen. So, even by using the lowest proposed value of 20$ for each set of data, we get to an astounding amount of 220,000 $ in return for sending "just an email".

 

This is just the last case in a constantly growing trend. Cyber criminals have realized the economics of health-care data and are increasingly targeting the medical sector where they can collect data that can be sold for a high value on the black market.

Medical data has a more lasting value that other types of information, and while a stolen credit card can be cancelled, it's not that easy to delete or change a birthday date or a social security number. So, in the world of black market, medical information has a higher value than a credit card information.

Medical information can be used to impersonate hacking victims to obtain in return medical care or to purchase expensive medical equipment. Healthcare providers cannot easily detect this type of fraud compared to how easily financial institutions do.

 

As seen in this article, healthcare systems are day-by-day becoming one of the most targeted victims of cybercriminals and, at the same time, medical data protection is still one of the top foremost challenges. Awaiting the evolution of these future challenges, we would end this article looking at the newer past, listing 10 recent notable hackings to health-care systems, according to U.S. Department of Health and Human Resources's report about Breaches Affecting 500 or More Individuals (from 2009 to the present day):

1) 2009: AvMed, Inc. - 1,2 Millions victims

2) 2009: BlueCross BlueShield of Tennessee - 1,2 Millions victims

3) 2010: North Bronx Healthcare Network - 1,7 Millions victims

4) 2011: TRICARE Management Activity - 4,9 Millions victims

5) 2011: The Nemours Foundation - 1 Millions victims

6) 2011: Health Net, Inc. - 1,9 Millions victims

7) 2013: Advocate Medical Group - 4 Millions victims

8) 2014: Community Health Systems - 4,5 Millions victims

9) 2015: Anthem, Inc. - 78,8 Millions Victims

10) 2015: Excellus Health Plan, Inc. - 10 Millions victims

 

by Alessio Mulas, Matteo Mauri (CNIT)

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618