Do You Have Any Idea How Much Your Health Information Is Worth?
Do you have any idea how much the information about your health is worth?
Well, let me tell you: it’s some of the most expensive information out there.
When some of the major, publicized, NON-healthcare hacks happened several years ago, the downloaded data started to become available on the darkweb for about $10 per person included.
For health information, it often costs $55 or more per record on the darkweb. Why? We’ll get there in just a minute.
If you don’t know what the darkweb is, let me digress for a moment because this will be worth it. First, you should know what the “deepweb” is. It’s pretty easy.
The deepweb is the group of all websites that search engines cannot access and index for whatever reason. Most traffic on the internet, by the way, isn’t humans visiting websites.
For a long time now, most traffic on the web is from companies like Google and Amazon that have automated programs traveling the web and reviewing websites. The deepweb is the group of websites that is out of reach for search engines.
Part of the deepweb, really a small part, is called the “darkweb”. The darkweb is the name given to a bunch of websites (I mean we are still talking about many websites here) that can only be accessed with special tools like The Onion Router (aka “Tor”).
Tor is a web-browser that is designed to keep the user anonymous. So, we’re dealing with a portion of the web that is more difficult to access and is associated with anonymity. In that part of the web there’s obvious potential for all sorts of content that isn’t legal or is at least prohibited or highly unusual in some other way.
And that is where people often go to buy stolen information, like our $55 per record databases of health information from different patients.
And these data are some of the most expensive data sets we see listed on the marketplaces that exist on the darkweb…many of which are being taken down by different governments by the way.
The reasons they are so expensive are actually pretty straightforward when you think about it.
First, our health information doesn’t really change much throughout our lives. The history of what runs in our family (aka “family history” in the histories that our doctors take) doesn’t change. If our dad died of a heart attack at 52 that’s not going to be different next year.
And there are other elements in our medical history that can be much more problematic. For example, our allergy list. If there’s a medication, allergy, or insect bite that we are allergic to, well, ut-oh…getting that info out there in the open can mean problems if someone decides they don’t want us around.
Do we have an insulin pump, defibrillator, or some other medical gizmo that’s working away inside us but that also connects to the outside world?
Well, those are all more problems. Most medical devices have now been hacked. Insulin pumps can be made to give overdoses, defibrillators can act at the wrong time, and that hip replacement we have is never going away.
I’m not making any of this up. But you should know that, in 2018, many of the devices we need help from have been hacked and made to do things that we do not want to happen.
Steps one and two in the pathway include identifying who has what device, what allergy, etc. And all of that comes from our health information. Yeesh.
So, the bottom line here is this: protect your health info. Help protect the health info of everyone else around you too. There are people who want it, who will probably try to take it, and who may do things with it that we really wouldn’t like.
What you probably have heard about on the news so far is mostly about ransomware attacks against hospitals. That’s when hackers gain access to a hospital and encrypt all of the medical records and hard drives (etc. etc.) so that they can’t be accessed without an electronic key.
The hospitals get a message or just have a screen pop up that has a countdown on it and a message that if they pay $XXXXX dollars (a lot of money typically) then they will receive the key.
Hospitals often call the FBI or a similar element of law enforcement. Part of the reason why they do that is the knowledge that, even if they do send the money, guess what: hackers typically don’t give them the key!
Unfortunately, worse attacks are on the horizon and have already happened. Many experts predict that 2018 will be a big year for attacks on hospitals and healthcare systems. Your health information is highly valuable.
Now you know why.
Next, let’s look at exactly how attackers try to get your health information. We’ll keep it at high level overall…but for those of you out there who are system admins or Chief Information Officers, don’t worry, we’ll share enough specifics so that you hear about some classic tools and techniques which you can look to defend...
The excerpt above is from Healthcare Information System Hacking by David Kashmer. Click here for more information on the newly released book.
Dr. David Kashmer is a quality improvement expert, trauma and acute-care surgeon, and Certified Ethical Hacker. He has previously served as a Section chief and Chief of Surgery for healthcare organizations. He currently serves on the Board of Examiners for the Malcolm Baldrige National Quality Award and looks forward to a Baldrige Healthcare Cybersecurity initiative.