The Value of Stolen Medical Records
Businesses are not enumerated and attacked as a rule of thumb at this point in time for an exercise. The end goal and focus has tended to be for the attacker to secure data from the target. Without this, the attackers have wasted their time and energy. The attackers have noted the value of data and operationalized this for their purposes.
During the early years, the initial attack targets were the personal, confidential information and credit card numbers. This data clearly had value, however not a significant amount per item. The attackers began to review the return on investment (ROI) for their attacks. The attackers, upon review, understood this was very low and began search the environment for other viable options of systems to breach and data to steal. For their business model to work, the ROI needed to be much larger.
The new focus has been hospitals and their medical records. The breaches and attacks over the last two years are blatant in the industry being targeted. These have varied from a very targeted attack on certain areas to the entirety of the hospital.
As the attacks are successful, the data is exfiltrated. This stolen data at rest is not useful or revenue generating. The attackers then move to sell this on one or more of the deep web sites that is geared towards this. These also are sold to private parties bypassing the marketplace. The trending recent price per record has averaged $20/record of the basic individual consumer record up to $500 for a full record and PII for each client. These amounts are exponentially greater than the costs for hundreds of sets of credit card numbers. Thus the ROI is substantially greater here for relatively the same or less work for the breach.
Although the medical records are in form relatively the same based on the file format and template, there has tended to be a premium for the children’s and elderly person’s records. This is due to the opportunity for the party’s compromised records not being noticed for some time. This allows for an extended period of exploitation that may not be available with the other age groups.
This is not the end set of targets for the attackers. Certain sub-groups have been looking forward and area attacking universities, who have mass numbers of student records and personally identifiable information.
About the Author
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.