INTELLIGENT ENTERPRISE SECURITY
Is medical data worth more? It seems to be worth something between traditional database dumps and payment card data. If the medical data contains financial data, it appears to be more profitable to sell them separately rather than together.
When McAfee Labs published the research report Cybercrime Exposed, the concept of cybercrime-as-a-service was a relatively new idea. The fact that components of a cyberattack can be outsourced was not commonly known. Today this is old news, with cybercrimeas-a-service a very well publicised business model. This business model applies equally to the health care sector.
Intel Security can see cybercrime-asa-service operating in the health care sector, with evidence that vulnerabilities are being sold and organisations are being compromised as a service. To put this in perspective, a non – technical cyber thief buys tools to exploit a vulnerable organisation, uses them with a little free technical support, and then extracts 1,000 records that could net him £ 12,000, about $ 15,564.
Cybercriminals today require little technical knowledge, only the means to pay for help from someone with the requisite experience. In fact, there are a multitude of sellers offering stolen data to buyers who do not need to get involved with direct attacks on organisations. Buyers of stolen data may have other motives, but from breach to resale of stolen data, the motivation of these attackers is clearly financial. Although personal or sensitive data has value, it is likely that intellectual property or other types of medical-related data has higher value.
Holding health care organisations ransom or targeting them for theft of personal data is a relatively recent phenomenon. Targeting biotechnology and pharmaceutical firms for theft of intellectual property appears to be considerably older. Early cases go as far back as 2008, with reports that data sought included drug trial information, chemical formulas, and confidential data for all drugs sold in the US
Examples of hidden data economy for stolen medical data represents only tip of an iceberg, however, cybercrime is merely an evolution of traditional crime
market. Clearly, the economic value of such information is considerably higher than the cents-per-record market this and other reports have identified.
Opportunities like this apparently justify the cost of a cyber theft operation that employs hundreds of people and makes use of at least 1,000 servers. Such attacks have not entirely focused on private sector firms. For example, the US Food and Drug Administration has been among the most targeted agencies because of its role as the starting point for bringing new products to market.
To understand the scale of the attempted intrusions, a Freedom of Information Act request found 1,036 incidents had been reported between 2013 and 2015. Of those, half involved illegitimate, unauthorised access into Food and Drug Administration computers. Another 21 % were classified as probes or scans, similar to phishing, and 19 % were malware intrusions.
The use of malware was discussed in a Form 8-K submission by Community Health Systems to the US Securities and Exchange Commission. They reported that sophisticated malware attacked the company’ s system. The submission noted that the attacker sought valuable intellectual property, such as medical device and equipment development data. The forensic team in charge of the investigation reported, this group typically targets companies in the aerospace and defense, construction and engineering, technology, financial services, and healthcare industry verticals.
In most cases, spear phishing is the precursor to infection, as was demonstrated in an attack against the National Research Council. In this example, the attack began with the collection of valid email addresses for research council employees, according to a study conducted by the Canadian Cyber Incident Response Centre. The attack was followed by the installation of malware after the recipients clicked on malicious links.
Despite its simplicity, spear phishing appears to be a recurring theme even when the objective is the theft of intellectual property, trade secrets, and other sensitive or proprietary information.
Research continues into health care attacks whose aim is intellectual property theft. There is no doubt that pharmaceutical and biotech firms must remain vigilant because their most valued assets are in the spotlight of determined threat actors.
The examples of a hidden data economy for stolen medical data represents only the tip of an iceberg. However, cybercrime is merely an evolution of traditional crime.
When it comes to medical data, the ability to recover our information is considerably harder than with other data. When retail store Target was breached in 2013, victims had their compromised cards cancelled and new payment cards reissued. This limited the damage to individuals because the cards flooded the underground market and were quickly offered for sale. For medical data, and personal information, the recovery strategy is not quite as simple.
One troublesome issue with this topic is the lack of evidence pointing to the motivation behind the acquisition of stolen medical data. With payment card information, it has been documented that stolen card numbers are used to conduct fraud against the victims. In the course investigations Intel Security, has identified where specific data is sought to verify the addresses of the victims. At present, specific uses for bulk data purchases of medical data have not been identified.
Excerpted from Intel Security report titled: Health Warning, cyberattacks are targeting the health care industry.
41