Cyber-crime in the health care sector is growing. Latest reports show that the healthcare has the highest occurrence of cyber-security mishaps of all industries. It’s bottom of the league table for its ability to fix software vulnerabilities. But there may be a very small silver lining. Healthcare records are not as valuable as banking details to cyber-criminals.
An article in ITONLINE says the price per record for stolen patient medical records remains lower than financial account records and retail payment account information. This is a finding from Intel Security’s McAfee Labs Health Warning which:
- Assesses the marketplace for stolen medical records
- Compares it with the marketplace for stolen financial services data
- Identifies healthcare cyber-crime trends
- Profiles cyber-crime targeting intellectual property in the pharmaceutical and biotechnology industries.
The Intel Security research asserts that the development of the market for stolen data and related hacking skills indicate that cyber-crime in healthcare is growing.
“In an industry in which the personal is paramount, the loss of trust could be catastrophic to its progress and prospects for success,” says Raj Samani, Intel Security’s chief technology officer for Europe, the Middle East, and Africa. “Given the growing threat to the industry, breach costs ought to be evaluated in the Second Economy terms of time, money, and trust, where lost trust can inflict as much damage upon individuals and organisations as lost funds.”
In recent years, the cyber-criminal community has extended its data theft efforts beyond financial account data to medical records. Although credit and debit card numbers can be canceled and replaced quickly, protected health information (PHI) which doesn’t change. PHI could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories.
This dynamic has led to industry speculation that the price per medical record could soon rise or even eclipse that of financial account or payment card data, but Intel Security’s 2016 research doesn’t support this theory. It found the average health record price was greater than that of basic personally identifiable information, but still less than personal financial account data. The per-record value of financial account data ranged from $14 to $25 per record, credit and debit cards drew around $4 to $5. Medical account data earned between $0.03 to $2.42.
The findings suggest that financial account data continues to be easier to realise than personal medical data. Stealing medical records may enable cyber-criminals to analyse it, and cross-reference it with other data to identify lucrative fraud, theft, extortion, or blackmail opportunities. Financial data still presents a faster, more attractive return-on-investment for cyber-criminals.
Healthcare records may not currently be as valuable as banking details to cyber criminals, but this may change. Healthcare organisations need to be more vigilant than ever to ensure the security of their systems and their patients’ data. Training and educating staff is an essential component to keeping healthcare data safe and should not be part of each healthcare orginisations’ cyber-security policies.