Healthcare records for sale on Dark Web

By:  Ryan Francis

Last August a Baltimore substance abuse treatment facility had its database hacked. Patient records subsequently found their way onto the Dark Web, according to The group noticed such things as dates of admission, whether the patients are on methadone, their doctors and counselors, and dosing information.

In the blog, the hacker “Return,” who they think is Russian, described how he compromised the Man Alive clinic: “With the help of the social engineer, applied to one of the employees. Word file with malicious code was downloaded.”

The sample provided by Return consisted of 727 pages of unredacted patient profiles containing personal and treatment information on 633 patients, Databreaches wrote.

Flashpoint ‘s Director of Research Vitali Kremez said healthcare records have historically been a key economic driver of the Dark Web economy for many years due to the fact that they are such a rich source of very specific and in some cases immutable personal information that can be used to initiate many types of fraud – from insurance, to identity and tax fraud. These types of fraud cost taxpayers billions of dollars annually according to the FTC.

Kremez said the initial attack vector appears to be a vulnerable Remote Desktop Protocol (RDP) server belonging to the Baltimore clinic. In this case, Flashpoint saw complete patient information stolen from a clinic in Baltimore, over 43,000 records, offered at a price of $300 — or less than one cent per record.

The Identity Theft Resource Center reported that there were 355 breaches in 2016 affecting 15 million records. 2016 was a record year for US Healthcare breaches – affecting hospitals, dental clinics, and senior care facilities, among others — with the top 10 breaches netting criminals in excess of 13 million records, and the Dark Web literally flooded with “fullz” (full packages of personally identifiable information) as well as patient insurance information.

health records Flashpoint

“So much so was the glut that extensive Flashpoint Dark Web research saw fullz actually commoditizing and the value of individual fullz decreasing. While Flashpoint has observed actors offering medical data for a bulk price of $7 per record, the industry standard for the value of an individual record is now at $0.50-$1,” Kremez said.

He said information like birthdates, Social Security numbers and driver’s license information are used to fill out, submit and validate any number of fraudulent accounts or transactions – such as income tax filing, financial aid applications or insurance claims. Marital status or emergency contact and employment information can also be used to guess security validation or password reset questions. And email addresses or phone numbers can be used to evade anti-fraud mechanisms such as PIN systems or multifactor authentication.

Flashpoint has also seen the emergence of Health Savings Account (HSA) fraud. While not new, HSA fraud has evolved substantially in credibility, complexity, and frequency since 2016. They are harder to detect as HSA accounts typically have less subscriber and institutional oversight, Kremez reported. In fact, recent estimates suggest that there are more than 20 million existing HSA accounts that hold nearly $37 billion in assets, which represents a year-over-year increase of 22 percent for HSA assets and 20 percent for accounts.

“The healthcare sector remains a highly targeted industry as it offers rich, bundled resources of financial, personal, and medical information that can be exploited and often sold within the Deep and Dark Web (DDW),” he said. Common exploitation vectors remain vulnerable Remote Desktop Protocol (RDP) servers, web application vulnerabilities, and FTP servers belonging to healthcare organizations.

HIPAA compliance

And, of course, whenever you talk about healthcare records, you have to pay attention to compliance.

Full understanding and support from the highest levels of management are absolutely critical to the success of any security program, wrote Tracy Reed, CEO of Copolitco, a professionally managed, secure server hosting company that helps companies adhere to the Health Insurance Portability and Accountability Act (HIPAA). Every employee who will interact with the security program must understand the importance of security and adhering to policy.

“All companies who have a compliance obligation must remember that the point of HIPAA compliance is to impose a certain level of security, said Reed. “Security is the ultimate goal, not necessarily compliance. Compliance comes as a result of having a good security program. Being compliant does not mean you are secure; it merely means you have ‘checked the boxes.’”

An HHS Office for Civil Rights official stated at the recent HIMSS and Healthcare IT News Privacy & Security Forum in Boston that the organization will be conducting on-site audits of hospitals in 2017 and that OCR is engaged in over 200 audits at the moment. One hundred and sixth-seven are looking at providers, and it sent out 48 to business associates, according to OCR senior adviser Linda Sanches.

Sanches further states that they will be involved in some on-site audits in 2017 and that the goal is to find vulnerabilities that the government is not currently aware of. She pointed out the lack of risk analysis and management as serious issues among covered entities and business associates.

All companies with a compliance obligation must remember that the point of compliance is to impose a certain level of security. Compliance comes as a result of having a good security program. Thus, being compliant does not mean you are secure, Copolitco wrote in its report. There are many things that could still result in a compromise such as an employee accidentally leaking a passphrase by getting his computer infected with malware or a bug in a web application exposed directly to the internet.

“When thinking about risk, risk analysis and mitigation as it relates to HIPAA compliance, business owners often wonder why they have to worry about security,” said Reed. “Often, their attitude is, ‘Who would want to harm us? We are small and have nothing that would be useful or of value to anyone else.’

She said aside from the threat of federal enforcement action via civil and criminal penalties, healthcare data is often valued for unexpected reasons, including extortion, reputational damage, competitive advantage and more.

Both compliance and security are ongoing efforts. There are always new vulnerabilities discovered, new versions of software coming out, and advances in the state of the art in terms of attacking and defending.

“Prevention, detection and response are the three main components of a sound HIPAA compliance program,” said Reed. “Using secure passwords, keeping systems patched up, and even employee background checks are considered prevention. But since there is no such thing as 100 percent security, we must also plan to detect problems such as intrusions or situations which could lead to intrusion and limit damage. Finally, a plan must be in place to respond to an intrusion to prevent the situation from getting worse and to ultimately resolve the issue.”

The HIPAA Security Rule breaks down into three main areas (some of these procedures fall under the responsibility of the client, others to the HIPAA vendor):

Administrative Safeguards: These encompass a number of approaches including:

  • A designated privacy officer
  • Executive sign-off on policies and procedures
  • Procedures to clearly identify which employees should have access to PHI
  • Ongoing training program
  • Procedures for third-party outsourcing
  • Contingency plan for responding to emergencies
  • Internal audits
  • Procedures for addressing and responding to security breaches.

Physical Safeguards: These encompass a number of approaches including:

  • Controls to govern the introduction and removal of hardware and software from the network
  • Controlling and monitoring access to equipment containing health information
  • Facility security plans, maintenance records, and visitor sign-in and escorts
  • Policies to address proper workstation use
  • Training contractors or agents on their physical access responsibilities

Technical safeguards

The technological safeguards are somewhat more intricate and detailed. These include a number of approaches, such as:

  • Linux Host Hardening: A solid Linux host hardening program is based on the NSA Linux Hardening Guide also known as the NSA Systems Network Attack Center (SNAC) hardening guide.
  • Xen Hardening: When virtualization is used the hypervisor is hardened per the Xen CIS Benchmarks to the greatest extent possible, as well as per NIST SP-800-125.
  • MySQL Hardening: MySQL databases are hardened per the MySQL CIS Benchmarks wherever practical.
  • Encryption: When information flows over open networks encryption must be utilized: A reputable hosted-services company will use SSH for administrative functions, GPG for email, and SSL for webserving of ePHI. Standard Linux whole disk encryption is sometimes available although generally only recommended for mobile devices such as laptops.
  • Network segmentation: The client’s environment should be maintained on its own private network separated from non-client systems via firewalls using VLANs. Web application servers, database servers, and development servers should all reside in their own separate VLANs and be protected from each other to the greatest practical extent.
  • Firewalls: Firewalls must be configured with both ingress and egress filtering per NIST SP-800-41. Most are familiar with the idea of firewalls blocking inbound connections but blocking unusual outbound connections is necessary.
  • Auditing: Regular analysis of system log files is an important means of detecting intrusions, intrusion attempts, software misconfigurations, among other things.
  • Intrusion Detection Systems: NIST SP-800-53 calls for intrusion detection systems for information system monitoring, near real-time alerting of issues, etc. A great way to monitor network activity and detect network attacks is a Network Intrusion Detection System (NIDS).
  • Backups: All CEs, including medical practices and BAs, must securely back up “retrievable exact copies of electronic protected health information” (§164.308(7)(ii)(A)). The data must be recoverable such that you can fully restore any loss of data (§164.308(7)(ii)(B). Backups must also be tested, and data must be backed up frequently (§164.308(a)(1)).
  • Breach notification: The HIPAA Breach Notification Rule (“BNR”) did not exist prior to the HITECH Act. Section 13402 of the HITECH Act requires a CE to provide notification to affected individuals and to the Secretary of HHS following a discovery of a breach of unsecured Protected Health Information. BAs are also required to notify the CE.