Hacking Continues to Follow Economic Models
In economics, there are the basic supply and demand curves. As these move up or down, and left or right, dependent on the circumstances, the price point changes. For instance, as the supply increases, the price decreases. This has been occurring with the price of healthcare or medical records.
When the healthcare industry began to be targeted more than others, the attackers saw this as an opportunity to generate revenue. Initially, they would breach the system and liberate the medical records. There were not many looking to this industry for an attack, so the supply to the black market/darkweb was somewhat limited and the demand was higher. The records were selling for $75-$100 each. As this became more prevalent, more attackers shifted their focus to the medical field and hospitals, where the mass number of records are located or have access to digitally. More of the medical records were actively being targeted and stolen from these facilities. This shifted the supply curve, due to there being more records in the market being sold. The price per reach record accordingly decreased to $20-$50 on the dark web, dependent on certain variables. A full HER for a patient (completed identification information, utility bills, complete history, medical insurance information, etc.) has changed the product offerings. This is by far more functional and useful for the attackers. These, in the alternative, may be sold for $100-$500.
The data and information market continues to change and adjust itself out of necessity. This latest iteration is not the last. The problem at hand is what is going to be targeted next?
Resource
Davis, J. (2016, October 12). Cybercriminals to launch more ransomware attacks as black market price of health data drops. Retrieved from http://www.healthcareitnews.com/news/cybercriminals-poised-launch-more-ransomware-attacks-black-market-price-health-data-drops
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.