'Cybercrime-as-a-service' in healthcare on the rise


Stolen medical records may not be worth as much as financial account data or credit card information, but the “cybercrime-as-a-service” market continues to grow when it comes to healthcare, cybersecurity experts say.

Researchers from Intel Security say in a new report that increasingly, cybercriminals are taking advantage of inexpensive hacking tools to capitalize on vulnerability in the industry. While they note that they have yet to identify specific uses for large swaths of medical data, just the fact that the healthcare industry is so far behind the cybersecurity curve makes it an enticing target.

“When a well-developed community of cybercriminals targets a less-prepared industry such as healthcare, organizations within that industry tend to play catch-up to protect against yesterday’s threats, and not those of today or tomorrow,” Raj Samani, Intel Security’s CTO for Europe, the Middle East and Africa, says in a statement. “Where [healthcare organizations] have undervalued cyber defense overall, they must prioritize it.”

Stolen medical records, according to the report, sell for between $0.03 and $2.42 per record. Financial records, by comparison, sell for $14 to $25 per record, the researchers say. Credit and debit card information sells for $4 to $5 per record.

Still, the researchers say, the loss of trust relating to stolen medical records can be just as damaging as lost funds, since personal relationships form the foundation for the health industry.

Niam Yaraghi, a fellow in the Brookings Institution’s Center for Technology Innovation, wrote previously that the healthcare industry should follow in the footsteps of the banking industry by ensuring that the application of consequences for breaches are swift and confident. Risk prevention, not reaction, must be the priority, he said, and fallout for victims must be minimized.

In a recent survey of hospital IT and security executives, most respondents said they believe that cybersecurity is not looked at as a patient care or quality-of-care issue. Thus, business strategy does not drive security strategy for provider organizations, they said.

Attorneys, too, are highly concerned about the threat of IT breaches at hospitals, but worry that little is being done to address the situation.