
There is a new epidemic threatening our healthcare system. A blatant disregard in medical organisations for ensuring their computers and staff don’t fall prey to hackers is putting sensitive records at the mercy of those intent on stealing them.
Attackers , making this sector the most targeted and most successfully breached of all critical infrastructures in the US. In 2015, attacks .
Hackers are obtaining treasure troves of immensely lucrative data at little risk. They are after electronic health records (EHRs). These are coveted more than financial information because a victim can cancel a credit card, close a bank account, or even change a social security number, but they cannot change the information in an EHR.
Advertisement
Once a criminal owns such a record, they own the victim’s identity. The records are sold and resold, individually and in bulk, on anonymous websites such as AlphaBay, Dream Market or TheRealDeal Market found on the Deep Web– the easy-to-access but unindexed internet used by some journalists, academics, whistle-blowers and criminals.
Why do criminals want to steal EHRs? To commit , perpetrate tax fraud, submit false insurance claims, acquire prescription drugs, create fake identities, extort patients, access government benefits, obtain medical devices or sell to other attackers.
For example, on TheRealDeal Market in August, one user – “thedarkoverlord”– offered to sell 9.3 million records from a health insurer database and 23,565 from a healthcare provider.
Costly in many ways
EHRs fetch approximately $20 for basic credentials, $500 for full electronic dossiers and $1200 for dossiers with physical forged cards and documents. Stolen data can be continuously reused, meaning that one successful breach can bring a hacker long-term prosperity.
And patients are being harmed. Over 20 per cent of medical identity theft victims receive delayed or insufficient medical treatment . Further, modern consumer protections fail to detect and remediate medical identity theft. Some victims forfeit an average of $13,500 in legal fees and 200 hours of their time (compared with $55 and 10 minutes for financial fraud) to challenge the erroneous charges.
The is so worried about this threat and the medical industry’s poor defences, that it is briefing the US Senate on the issue later this month in order to spur action.
Bureaucratic health sector boardrooms have been sclerotic in their response to this because they lack the cybersecurity expertise necessary to galvanise reform.
These breaches are at epidemic levels. While a national response is needed, responsible organisations must also mitigate these incidents now by adopting defences that detect, respond to and predict internal and external threats.