By now, all hospitals and health systems are aware of ransomware-related cyberattacks where a hacker will gain control of a computer network, data center or cloud server and encrypt the data, effectively blocking access until a ransom is paid.
A less immediate, but no less catastrophic, result from such a ransomware attack is where the hackers also steal as many electronic health records (EHRs) as possible to sell on dark web marketplaces. Hackers launching these attacks are not bored teenagers in their bedrooms, but rather sophisticated, international criminal organizations that through the dark web connect with other criminals who profit from stolen records. Cybercrime organizations can sell stolen records for as much as $1,000 each, while credit card numbers alone sell for as little as $5 and social security numbers for only $1 each.
Medical records are also so lucrative on the black market because, unlike credit card numbers, they can never be canceled. If the records are complete, they contain a plethora of data. Available information could include the patient’s medical history, demographics, health insurance and contact information. This data can then be used to support numerous other illegal activities, such as obtaining prescription medications, filing bogus medical claims, or stealing the patient’s identity to open credit cards and fraudulent loans. The hacker organization does not typically commit these secondary crimes on their own. Rather, they tap into a criminal network on the dark web experienced in drug trafficking and money laundering who are eager to buy medical records to support their criminal activities.
Hackers, however, may also retain the records for their own nefarious activities. For example, patients of a large mental and behavioral health practice in Finland this year were blackmailed by a hacker or group of hackers based on records stolen from November 2018 through March 2019. Patients received extortion letters from the cybercriminals demanding as much $240 to keep their information private, an amount which doubled after 24 hours.
The repercussions to the patient could last for years if highly personal information is made public or used to steal one’s identity. Specifically, medical identity theft, which is where a patient’s identity is fraudulently used to obtain medical services or prescriptions, costs $13,500 to resolve, either through paying a provider, insurer or legal services, or all of the above. Victims also spend more than 200 hours trying to repair the damage and securing their information. Forty-five percent of medical identity theft victims surveyed report the crime affected their reputations mainly due to the embarrassment of having their sensitive personal health conditions disclosed while nearly 20% reported they believe the theft caused them to miss out on career opportunities.
While patients are most personally affected by the theft and sale of their medical record information, the financial and reputational impact is felt by the hospital or health system in several ways:
Cybercriminals most often infiltrate the hospital’s network through a fraudulent email they send to a staff member, containing a link or virus embedded in a computer file. Such attacks against healthcare provider organizations have accelerated during the COVID-19 pandemic as recently as late October, according to a statement from several U.S. government entities.
In some instances, cybersecurity technology can prevent malicious software from gaining control of the hospital’s servers, but the malware may still hijack a connected medical device that operates with dated, unsupported software lacking appropriate security measures.
Protecting these devices, however, is possible by connecting them to a secure clinical computing hub, such as Capsule Technologies’ Neuron. Not only does Neuron encrypt data from devices to prevent unauthorized access, but also effectively shields connected devices from the network, making them invisible to hackers.
Cyberattacks can be financially damaging to hospitals, both in terms of money spent and reputational damage, but the impact is most emotionally devastating to patients when their most personal and private information is stolen and sold on the black market. Ransoms paid to hackers, as well as money captured from records sold on the dark web, also fuels these criminal organizations to commit additional attacks against other healthcare providers.
Following best practices and appropriate staff and clinician training will help prevent damage, but hospitals need additional security measures to protect themselves and patients from human error and criminal greed.
To learn how Capsule can protect your medical device data while enabling intelligent, data-driven care, contact us today.
Paul Nadrag is a software developer at Capsule Technologies.