Report uncovers the underground healthcare data market

A new report from the Institute of Critical Infrastructure Technology undresses what happens to private medical data after its stolen from the hospital and the heaving marketplaces it ends up in

Electronic health data is some of the  most valuable around
Electronic health data is some of the most valuable around

A new report has lifted the lid on the underground medical data market. Entitled Your Life, Repackaged and Resold: the deep web exploitation of health sector breach victims, the report unveils the incredibly valuable offerings taken from people's stolen health records and hawked on the deep web before going on to be used in incredibly effective scams of medical identity fraud.

James Scott and Drew Spaniel, a senior fellow and researcher, respectively, at the Institute for Critical Infrastructure Technology (ICIT), begin their report by taking dead aim at the healthcare sector's security culture.

“Virtually all health sector organisations refuse to evolve their layered security to combat a hyper evolving threat landscape. By doing so, health sectors organisations render maximised vulnerabilities like technological gaping wounds to any adversary with the ambition to exploit them.”

The authors also express their fatigue with the kind of conversation had around healthcare breaches. Too often the outcome of a breach on a healthcare body is little more than an exchange of cliches.

To that end, the analysis begins post-breach and looks straight at where that exfiltrated data goes after it's been surgically removed.

According to the report, Deep web marketplaces like TheRealDeal Market, Dream Market and AlphaBay seem awash with various ways to exploit the healthcare sector and its data.

Some sell footholds into an organisation for those not well versed in the art of hacking. With the rise of cyber-crime as a service, this may well be expected. SenseCy reports that in 2016, it found a deep web vendor attempting to sell access to a company that provides equipment for 130 medical centres in the US.

The report notes that while individual profiles are often sold on marketplaces, large tranches tend to be sold in private transactions.

Health insurance credentials go for about US $20 (£15) and include all the expected personally identifiably information.

Data is packaged in various different ways. ‘Fullz', are full packages of health insurance info, bank account numbers, social security numbers and more. As a complete “electronic dossier of a victim that is compiled to specifically facilitate identity theft and fraud”, these go for about US $500 (£378).

Real premium packages are known as ‘Kitz'. Going for around US $1,200 (£909), these not only include the complete run down of personal information and credentials, but the accompanying documents.

Of all categories, the data of the elderly and children is supposed to be particularly valuable. The authors note: “Criminals aggressively pursue children's health records because the data has a long lifetime and because the compromise may go unnoticed for years.”

Children, after all, don't have credit scores, no capital to lose, and any debts they might have accrued through a third party's fraud will probably go unnoticed until maturity. By then, a child's health records “could have been sold tens or hundreds of times on the Deep Web and numerous threat actors may be using it.”

A study by Carnegie Mellon University found that as many 10 percent of 40,000 children have had their social security number used, 51 times that of adults.

The elderly are targeted because they're seen as more gullible and susceptible to fraudand in the US Medicare cards can offer up a great bounty of valuable information.

This is of course, all aside from the fact that once medical records are used fraudulently, the critical information about the legitimate owner is often deleted. Suddenly, an A blood type is changed to a B and an allergy to penicillin is no longer there. This kind of fraud, quite rightly has been called by The World Privacy Forum, “the crime that can kill you”.

The report focuses mainly on the US, which has several peculiarities not present in the UK.

Firstly, the private healthcare sector's dominance in the US means that many rogue data disclosures are not from large breaches, but from people giving their insurance to family, friends or loved ones in emergency situations.

The report cites a Ponemon Institute survey of more than 1,000 victims of medical identity theft. Twenty-four percent of such identity thefts occur when a family member steals a relative's insurance card and a further 23 percent happen when people actively share their medical information with someone who needs it.

Furthermore, comparing the plurality of healthcare bodies and insurance providers in the US, and the records that flow between them, versus the primary provider that is the NHS, shows a starkly different picture.

Alex Balcombe, network security specialist at ANSecurity, told SCMagazineUK.com  “the NHS is still pretty much a closed network when it comes to accessing patient data and has a long way to go in terms of opening up access to electronic patient records.”

“The historical problem with data loss has been less from external hackers and more from poor controls and badly trained staff”. To date, added Balcombe, there have been no reports of a cyber-attack on the NHS leading to a major healthcare breach.

This does not however mean that the UK's health system is in the clear, especially as the NHS undergoes large structural changes: “The move to commissioning groups instigated in the last round of NHS structural changes along with more private healthcare provision means that both the aggregation and dissemination of patient records is likely to increase over the next few years.”

So who might be after this data, and why? Ted Harrington, executive partner at Independent Security Evaluators offered some answers to SC.

Criminals are not all that interested in individual records but rather large tranches of them, said Harrington: “By compromising a large volume of records, adversaries can generate a large amount of money by selling them on the black market.”

The inverse is also true, he added:  “Those pursuing profit would likely not be as interested in pursuing attacks that would result in a small number of records, as that would be less lucrative. Generally speaking, adversaries pursuing profit are not that interested in any individual record.”

Harrington said that to terrorist organisations, the main objective might be instilling fear in patients: “This type of adversary would be interested in any type of scenario that would result in fear, which extends well beyond just patient health information”.

To nation states, the value in that data “could be in learning more about the political or other leaders of their foes. This type of adversary would be interested in the particular record of an individual.” We saw a recent example where medical records of athletes were stolen from the World Anti-Doping Agency to discredit the anti-drugs stance of the Olympics.