Page 63 - Cyber Warnings
P. 63
The Risks (and Prevention) of Crime-as-a-Service in Healthcare
By Kurt Long, Founder and CEO, FairWarning
The recent study from the Brookings Institution detailing that 25 percent of hacking attempts will
focus on healthcare data should serve as a critical notification for industry providers. Since 2009
the study found the health data of more than 155 million Americans was breached, representing
a massive number of records containing SSN’s, addresses, and payment data.
The vehicle for a considerable number of these hacks comes through “cyber-crime-as-a-
service”, where criminals can go online to purchase virtual tool kits to conduct malware attacks.
These are packaged in a ready-to-go format, so criminals with limited technical backgrounds
can carry out successful ransomware. The payoff can be immense (especially compared to the
low risk of being caught), with health records on sale via the “Dark Web” for upwards of $50
each.
Despite the risks, many healthcare sector companies are ill prepared to stop such breaches.
And the passage of regulations such as those requiring electronic health records (EHR), there
were benefits in terms of accuracy and speed of information, but firms were not ready to secure
all of the new virtualized information. This combines with a lack of transparent monitoring (who
is accessing what information), and organizations have a difficult time to even spot if a breach
occurred.
Detailing the Causes
Easy monetary gain is the main cause for such breaches. Thieves that target these records do
not need a getaway car, and don’t need to worry about selling a physical product at a
pawnshop. They can conduct the attacks from any internet connection, with little fear of law
enforcement actions.
Breaches are not always committed by hacker groups. Many of them are performed either
intentionally or not by staff members at the provider or a vendor. Perhaps a front desk agent
agrees to look up the health records of a friend’s close family members, in violation of HIPPA
rules. Or a vendor with expired access decides to access and sell a few hundred records for
some quick cash. The problem with these smaller-scale breaches is they are often undetected
for weeks or months, and in many cases are not discovered at all. For internal staff, it’s often a
case of lack of awareness and faulty training. They might not clearly understand the right and
wrong ways to access data, or they might unwittingly provide access to other agents.
Another frequent source of hacks are third-party vendors working with healthcare facilities as
many of these workers are granted access, but their activities aren’t often tracked. Vendors
might be EHR providers, outsourced IT analysts, technicians, or labs that are all part of
coordinated care. These third parties often do not have tight controls over their staff’s actions in
regards to systems access, and the actual provider might have zero visibility. Another layer of
63 Cyber Warnings E-Magazine – June 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
