INTELLIGENT ENTERPRISE SECURITY
Is medical data worth more ? It seems to be worth something between traditional database dumps and payment card data . If the medical data contains financial data , it appears to be more profitable to sell them separately rather than together .
When McAfee Labs published the research report Cybercrime Exposed , the concept of cybercrime-as-a-service was a relatively new idea . The fact that components of a cyberattack can be outsourced was not commonly known . Today this is old news , with cybercrimeas-a-service a very well publicised business model . This business model applies equally to the health care sector .
Intel Security can see cybercrime-asa-service operating in the health care sector , with evidence that vulnerabilities are being sold and organisations are being compromised as a service . To put this in perspective , a non – technical cyber thief buys tools to exploit a vulnerable organisation , uses them with a little free technical support , and then extracts 1,000 records that could net him £ 12,000 , about $ 15,564 .
Cybercriminals today require little technical knowledge , only the means to pay for help from someone with the requisite experience . In fact , there are a multitude of sellers offering stolen data to buyers who do not need to get involved with direct attacks on organisations . Buyers of stolen data may have other motives , but from breach to resale of stolen data , the motivation of these attackers is clearly financial . Although personal or sensitive data has value , it is likely that intellectual property or other types of medical-related data has higher value .
Holding health care organisations ransom or targeting them for theft of personal data is a relatively recent phenomenon . Targeting biotechnology and pharmaceutical firms for theft of intellectual property appears to be considerably older . Early cases go as far back as 2008 , with reports that data sought included drug trial information , chemical formulas , and confidential data for all drugs sold in the US
Examples of hidden data economy for stolen medical data represents only tip of an iceberg , however , cybercrime is merely an evolution of traditional crime
market . Clearly , the economic value of such information is considerably higher than the cents-per-record market this and other reports have identified .
Opportunities like this apparently justify the cost of a cyber theft operation that employs hundreds of people and makes use of at least 1,000 servers . Such attacks have not entirely focused on private sector firms . For example , the US Food and Drug Administration has been among the most targeted agencies because of its role as the starting point for bringing new products to market .
To understand the scale of the attempted intrusions , a Freedom of Information Act request found 1,036 incidents had been reported between 2013 and 2015 . Of those , half involved illegitimate , unauthorised access into Food and Drug Administration computers . Another 21 % were classified as probes or scans , similar to phishing , and 19 % were malware intrusions .
The use of malware was discussed in a Form 8-K submission by Community Health Systems to the US Securities and Exchange Commission . They reported that sophisticated malware attacked the company ’ s system . The submission noted that the attacker sought valuable intellectual property , such as medical device and equipment development data . The forensic team in charge of the investigation reported , this group typically targets companies in the aerospace and defense , construction and engineering , technology , financial services , and healthcare industry verticals .
In most cases , spear phishing is the precursor to infection , as was demonstrated in an attack against the National Research Council . In this example , the attack began with the collection of valid email addresses for research council employees , according to a study conducted by the Canadian Cyber Incident Response Centre . The attack was followed by the installation of malware after the recipients clicked on malicious links .
Despite its simplicity , spear phishing appears to be a recurring theme even when the objective is the theft of intellectual property , trade secrets , and other sensitive or proprietary information .
Research continues into health care attacks whose aim is intellectual property theft . There is no doubt that pharmaceutical and biotech firms must remain vigilant because their most valued assets are in the spotlight of determined threat actors .
The examples of a hidden data economy for stolen medical data represents only the tip of an iceberg . However , cybercrime is merely an evolution of traditional crime .
When it comes to medical data , the ability to recover our information is considerably harder than with other data . When retail store Target was breached in 2013 , victims had their compromised cards cancelled and new payment cards reissued . This limited the damage to individuals because the cards flooded the underground market and were quickly offered for sale . For medical data , and personal information , the recovery strategy is not quite as simple .
One troublesome issue with this topic is the lack of evidence pointing to the motivation behind the acquisition of stolen medical data . With payment card information , it has been documented that stolen card numbers are used to conduct fraud against the victims . In the course investigations Intel Security , has identified where specific data is sought to verify the addresses of the victims . At present , specific uses for bulk data purchases of medical data have not been identified .
Excerpted from Intel Security report titled : Health Warning , cyberattacks are targeting the health care industry .
41