April 25, 2017 By Douglas Bonderud 3 min read

Health care data breaches are on the rise. As noted by MedPage Today, there were 39 reported health network compromises in March, totaling more than 1.5 million records. This not only surpasses the 31 total events reported in both January and February, but also more than triples the 388,000 records breached in 2017’s first month.

But here’s the thing: With so many records now compromised, packaged and sold on the Dark Web, the sales price to interested actors is falling rapidly. What happens when data supply outpaces criminal demand?

Everything’s Got to Go!

While security professionals and patients alike lament the lack of effective controls in protecting health care data, increasing concern hasn’t translated into better defense. In fact, cybercriminals are now so adept at cracking, stealing and selling health care information that Dark Web prices are falling considerably.

Consider the case of a Baltimore-area substance abuse treatment facility. According to CSO Online, the organization experienced a data breach last year that saw more than 43,000 records stolen and posted on the Dark Web. These records included basic information, such as names and phone numbers, along with dates of admission, doctor and counselor assignments, and specific treatment data. Security researchers identified the likely point of entry as a malicious Word file that, in turn, exploited a vulnerable remote desktop protocol (RDP).

As the clinic struggled to identify and notify all affected patients while simultaneously improving its IT security posture, its entire catalog of records was being shopped around the Dark Web at just $300, or less than 1 cent per record.

In effect, it’s a supply-and-demand issue. Until recently, “fullz” — full packages of personally identifiable information (PII) — went for around $7. But as the number of available records skyrocketed, the price dropped to compensate. Now, the average price per record sits between 50 cents and $1.

For patients and companies, however, the financial impact is potentially ruinous. Health care organizations are faced with potential public relations and network disasters, while patients may find that their entire identities — from tax returns to Social Security numbers to physical addresses — are being leveraged to cause long-term headaches.

The Data Breach Defense

The new threat landscape has many companies taking action to limit the chance of data breaches. The problem is that efforts don’t always match the most worrisome attack vectors.

Consider that among the top concerns for health agencies is the threat of ransomware. Fair enough, since cybercriminals are now willing to ask for millions in compensation, and companies know they’re on the hook for more than $300 per record in remediation costs.

But here’s the thing: Insider threats are actually the greatest danger to health data, with employees responsible for 68 percent of all health data breach attacks in 2016. In most cases, staff members have no intention of causing harm; they may be duped by phishing emails, click on malicious links or accidentally share privileged information.

Another key threat vector is third-party vendor breaches. These occur when data processing partners don’t do enough to secure their infrastructures and inadvertently allow health care data to be lost, stolen or compromised.

Effective health care defense isn’t just about beefing up network controls and locking down IT systems. Instead, companies need better internal education programs paired with more thorough assessments of third-party providers to limit the chance of compromise.

Even with record prices falling to all-time lows, don’t expect cybercriminals to give health care companies a break. While criminal-facing prices may be falling, the costs of damage control and remediation continue to rise, meaning health organizations need to take a hard look at where they’re getting hit and what’s being targeted. With no single cause, effective treatment of the data breach problem requires a multifaceted approach.

More from

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I…

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today