Australian healthcare organisations need to lift their game when it comes to protecting sensitive medical data, with the recent WannaCry ransomware attack bringing the security of patient records into greater focus.
The growing value of healthcare records, which offer the perfect means for criminals to commit identity theft, opens a Pandora’s box of fraudulent possibilities.
The main marketplace for stolen medical records is the so-called ‘dark web’, a clandestine digital network connecting sellers to buyers of nefarious goods, including illicit and branded drugs (both real and fake), prohibited weapons and even contract killings.
Part of the much larger ‘deep web’, which is simply everything online that is not accessible to the average web browser, the dark web uses technology originally developed by the US Navy to conceal IP addresses, making it hard to monitor and police.
Sites on the dark web regularly disappear and reappear, often with different names, so even for buyers it’s not always easy to find what they’re looking for.
But the big name to remember in this growing business is a person – or persons – going by the name of TheDarkOverlord.
A self-styled ‘vigilante’ of data security, the Overlord has stolen hundreds of thousands of medical records and put them up for sale on the dark web, often accompanied by messages chiding healthcare operators for being remiss in their data security practices.
Most recently, the Overlord achieved wider notoriety after purloining and leaking the latest season of Netflix’s flagship series, Orange is the New Black.
Depending on quality and authenticity, individual medical records can fetch between $US45–50 dollars and as little as three cents. Larger sets of medical records go for tens, sometimes hundreds of thousands of dollars.
To date, most stolen medical records for sale on the dark web have been stolen from US servers, with no evidence, as yet, of Australian records being put up for sale.
Australian Criminal Intelligence Commission CEO Chris Dawson said organisations are responsible for ensuring the security of customer information from hacking attack.
"Basic information is often enough to impersonate victims and commit identity fraud. Cybercriminals may also try to extort money from organisations by threatening to release the compromised information. All organisations should ensure they protect customer information.”
The Australian healthcare sector is no stranger to cybercrime.
In early 2016, the Royal Melbourne Hospital was hit by a malware attack, while the Australian Red Cross Blood Services, the key source of blood donations in Australia, fell victim to arguably Australia’s biggest ever data breach, with more than half a million donor records leaked.
Yet it appears that security standards in the local healthcare sector are slipping. The Deloitte Australia Privacy Index 2017 reported that healthcare had fallen from 4th last year to 6th, just behind ‘industrials’ in 5th spot, and ahead of retail at 7th. Financial services and government came in 1st and 2nd.
“The risks associated with holding sensitive medical data are often under-appreciated within the healthcare sector,” said Phil Cole, senior information security analyst with Australian cyber-threat agency AusCERT.
“Yet they are probably the most at risk.”
Notwithstanding attacks like WannaCry, general trends out of the US don’t bode well for the healthcare sectors of Australia and other countries. It is estimated that one in three Americans (100 million-plus people) have had their medical records stolen or compromised in some way, with the US Privacy Rights Clearinghouse reporting in 2015 that healthcare suffered almost 30 per cent of all data breaches, almost double the next biggest target, retail.
James Price, a senior cyber security analyst with Deloitte and an author of the 2017 Privacy Index, said data theft in the healthcare sector is especially problematic because it’s harder to detect. Unlike the most conspicuous types of fraud, such as applying for credit cards in victims’ names, which attract immediate attention, theft of medical records often goes unnoticed and unreported, sometimes for several months or more.
“The challenge is about where to focus because the loss is often indirect to the person holding the data,” Price said.
Australia’s recently passed data breach notification laws should change that, however, with companies and individuals facing heavy fines, albeit only for failure to report as opposed to penalties relating to the breaches themselves.
Price said companies need to develop cyber security policies and procedures that are ‘judgement and principals’ based, rather than ‘prescriptive’, which he says describes how the US and Australia approach cyber security, otherwise risk a situation requiring constant updating and expense.
He also notes that creating effective policies around authentication is harder in healthcare because of the growing emphasis on allowing fast and easy access to medical records to improve data-sharing for better patient care.
This not a small problem for healthcare operators as they try to adapt and succeed in a world of profound disruption. And the challenges are not just ‘technical’.
As Deloitte’s Price observes, CIOs and other IT managers struggle to make the case for further investment in IT security, as the immediate value, or ROI, isn’t necessarily easy to show. In light of recent events, that may be about to change.
TheDarkOverlord did not respond to a request for comment by the time of publication.