Cyber criminals follow the money … to your health care data

Medical care providers, patients unprepared for savvy hackers who are zeroing in on lucrative health data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Crim­i­nals know there are dol­lars in data and that mon­e­tiz­ing med­ical records is a lucra­tive pastime.

This trend could fore­shad­ow the next evo­lu­tion of med­ical iden­ti­ty fraud. Cyber crim­i­nals could sell med­ical iden­ti­ties to unin­sured or under­in­sured indi­vid­u­als, ped­dle phar­ma­ceu­ti­cals online, obtain and resell expen­sive med­ical equip­ment, or sim­ply file insur­ance claims by match­ing up stolen patient and provider identities.

This mon­e­ti­za­tion is in the ear­ly stages, yet it’s easy to see how even an “offline” sce­nario could be adapt­ed to cyberspace.

Relat­ed: Cure for dig­i­tal attacks on health care sec­tor is elusive

Here are some of the fac­tors play­ing into these scenarios:

• Vast num­bers of med­ical records from data breach­es are avail­able for sale on the Dark Web. These include iden­ti­ties of med­ical providers and billing information.

• More data is primed for breach­es. Con­sid­er that 19.2 mil­lion Amer­i­cans (under age 65) became new­ly insured through the Afford­able Care Act and the major­i­ty of health records are now electronic.

• A Ponemon Insti­tute study, mea­sur­ing the pri­va­cy and secu­ri­ty of health care data, found that crim­i­nal attacks grew 125 per­cent since 2010, becom­ing the lead­ing cause of data breaches.

• The billing sys­tem, both in the pub­lic and pri­vate sec­tors, is con­stant­ly exploited.

• Patient authen­ti­ca­tion is not mandatory—it’s easy to use a stolen iden­ti­fy to obtain ser­vices or to bill for a phan­tom patient. Patient authen­ti­ca­tion sys­tems such as chip-enabled cards are cost-prohibitive.

• The grow­ing trend in vir­tu­al care cre­ates new ways for cyber crim­i­nals to set up a fake online med­ical service.

[Med­ical iden­ti­ty] data is a rich­er record that … can be sold for many dif­fer­ent rea­sons and to many dif­fer­ent peo­ple, says Ed Cabr­era, chief secu­ri­ty offi­cer at glob­al cyber­se­cu­ri­ty soft­ware com­pa­ny Trend Micro.

Because of this poten­tial frag­men­ta­tion, iden­ti­fy­ing new pat­terns in cyber crim­i­nals’ mon­e­ti­za­tion trends is dif­fi­cult. On the sur­face, it may appear the crim­i­nals are sit­ting on the data for now. But that’s not like­ly the case.

Since med­ical data has a long shelf life thieves don’t have to rush to cash in big batch­es. Adam Levin, author of Swiped: How to Pro­tect Your­self in a World Full of Scam­mers, Phish­ers, and Iden­ti­ty Thieves, says this data is like hav­ing mon­ey in the bank.

They will use it at their leisure,” he says. “It is inevitable it will be used, but the tim­ing is at the con­ve­nience of the thief.”

(Full dis­clo­sure: Levin also is the founder of Cyber­Scout, which spon­sors Third Certainty.)

Cyber crim­i­nals also are being patient because “they don’t want to tip their hand to law enforce­ment,” says Ponemon Insti­tute founder and chair­man Lar­ry Ponemon.

They might do small things, but do it over a long peri­od of time,” he says.

New schemes on horizon

A recent report by Accen­ture Con­sult­ing found that 35 per­cent of vic­tims report­ing med­ical iden­ti­ty fraud had their iden­ti­ties used for fraud­u­lent billing and 26 per­cent, for fraud­u­lent ser­vices. Ponemon Institute’s ear­li­er study found that 59 per­cent of vic­tims’ med­ical cre­den­tials were used for health care ser­vices and 56 per­cent, for pre­scrip­tion drugs or equipment.

Ponemon says it would be easy to buy and resell drugs or expen­sive med­ical equip­ment. He gives the exam­ple of a med­ical pow­er scoot­er, which a crim­i­nal could obtain for the price of an insur­ance co-pay.

The bad guys could sell them on eBay and mon­e­tize,” Ponemon says. “And it may be hard­er to get caught than using a stolen cred­it card.”

Accord­ing to a health care indus­try report released by Trend Micro in Feb­ru­ary, stolen med­ical insur­ance ID cards are avail­able under­ground for as lit­tle as $1, and full records of U.S. cit­i­zens, includ­ing med­ical infor­ma­tion, for 99 cents, with bulk dis­counts available.

Jeff Leston, pres­i­dent of Castle­stone Advi­sors LLC, says it’s very easy to defraud the system.

The crooks know what box­es need to get checked when a claim comes in,” says Leston, whose com­pa­ny pro­vides pay­ment net­works for pre­vent­ing health insur­ance fraud. “And there’s no ver­i­fi­ca­tion that the patient was ever in the office.”

It’s espe­cial­ly easy to defraud Medicare because the Social Secu­ri­ty num­ber is part of the med­ical ID number.

Any­body who’s had their Social Secu­ri­ty num­ber com­pro­mised, their Medicare iden­ti­ty is stolen once they become eli­gi­ble,” he says.

Leston thinks telemed­i­cine, espe­cial­ly vir­tu­al doc­tor vis­its, will become the next trea­sure trove of fraud.

Not only do you not have (patients) com­ing to an office, but you could also sub­mit claims for peo­ple all over the coun­try,” he says.

Oth­er nefar­i­ous uses

Ponemon has dis­cov­ered one poten­tial niche through his research. Sophis­ti­cat­ed cyber crim­i­nals are buy­ing med­ical data to cre­ate dossiers on peo­ple, he says. They’re cap­tur­ing infor­ma­tion from var­i­ous databases—medical, tax records, per­son­al finances, edu­ca­tion, career, even caus­es and polit­i­cal lean­ings. Not unlike mar­keters do through var­i­ous clearinghouses.

Their mis­sion is that this could come in handy at some point in time,” he says.

Cabr­era notes that the crim­i­nal under­ground, like any oth­er indus­try, is con­stant­ly inno­vat­ing and rein­vest­ing resources into areas that have a high return on invest­ment. Which means there’s still much in store.

There will be new lines of busi­ness cre­at­ed when it comes to health care attacks,” he says. “We’re going to con­tin­ue to see more sophis­ti­ca­tion and automa­tion for cre­at­ing these dif­fer­ent lines of business.”

More sto­ries relat­ed to health data theft:
The issue with nix­ing Afford­able Care Act that no one’s talk­ing about
Encrypt­ing med­ical records is vital for patient security
Inter­net of Things facil­i­tates health care data breaches