The black market has become so flooded with stolen credit cards that selling them is now less lucrative. This has caused cybercriminals to look for other means of making cash, and many of them are turning to stealing healthcare records.
Healthcare records sell for , as opposed to the $1/record or less for credit cards.
The benefits of stealing healthcare records are two-fold. Not only do criminals make more, but it is also easier to steal healthcare records than credit cards. Most credit card companies employ effective security and fraud detection programs.
Healthcare facilities may be easier targets, evidenced by the rise in healthcare data theft. In 2013, the healthcare and medical sector made up 43.8% of data breaches (an 8.9% increase from 2012).
The higher return for healthcare theft may give cybercriminals more motivation to get creative when attempting to breach a healthcare organization. However, there may be other reasons that stealing healthcare records is easier than stealing credit cards.
"As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit. Hospitals have low security, so it's relatively easy for these hackers to get a large amount of personal data for medical fraud." - Dave Kennedy, CEO of TrustedSEC and expert on healthcare security
It is harder and takes longer to identify medical identity theft, giving criminals more time (sometimes years) to make money off of stolen credentials. This alone makes medical data more valuable than credit card numbers because cardholders are encouraged to monitor their bank statements and credit reports closely—quickly cancelling cards once fraud is detected. Consumers usually only discover that their medical credentials were stolen after their information is used to impersonate them to obtain health services. When the unpaid bills are sent to debt collectors, they track down the fraud victims and seek payment.
Funds may be an issue for many healthcare providers. Because of their focus on patient health, the continual need for better medical equipment, and the threat of litigation, it may be difficult to divert funds to cyber security.
More and more healthcare providers are switching to electronic medical records to make storage and billing easier and more efficient. And while security measures are being put in place to help with the transfer of records, sometimes data storage practices are not as secure.
On average, consumers replace their PC or laptop after 4.5 years of use, opting for new and improved models. The same is not true of medical equipment. Medical devices are meant to and are often used for decades. Though the medical device may function properly for that amount of time, security patches and updates may not be available for that period. For example, some medical equipment still use Windows XP Embedded. Outdated patches and updates are a recipe for a data breach.
Many of the security issues healthcare facilities face can be fixed by following cyber security best practices. These recommendations may not fix all cyber security issues, but they are a great starting point.