The new bio hazard – Emerging trends in cybercrime

August 2, 2016
The new bio hazard – Emerging trends in cybercrime
Andrew Staniforth
Andrew Staniforth Non-Resident Fellow - Counter Terrorism & National Security

Leading cyber security professionals across the world are coming to terms with the uncomfortable truth that private bio-medical data is now more valuable to cybercriminals than bank or credit card details. Cybercriminals are currently attacking the healthcare industry at a higher rate than any other sector. In the last year, more than 100 million healthcare records were compromised. The sudden rise in the theft of bio data has raised acute concerns for national security practitioners as it now exceeds attacks on manufacturing, financial services, government and transportation industries. The phenomenon of cybercrime has now entered a new era of healthcare hacks where the most intimate aspects of our personal data is being stolen.

Data breaches

According to US Government figures from the Department of Health and Human Services (HHS), five recent and large cyber attacks led to 108.8million people having their medical records illegally accessed. Last year, hackers gained access to 80 million personal records kept by Anthem, a health insurance plan provider in the United States. Stolen data included Social Security numbers, birthdays, addresses, email and employment information and income data for customers and employees, including its own chief executive. The hackers are thought to have infiltrated Anthem’s networks by using a sophisticated malicious software program that gave them access to the login credential of an Anthem employee. Anthem officials became aware of the breach when one of their senior administrators noticed someone was using his identity to request information from the database.

Anthem officials, who are now working with the Federal Bureau of Investigation (FBI), say they do not know who is responsible for the attack, but the level of sophistication has made cyber security professionals suspicious that the hackers may have been working with the support of a foreign government, or with people with ties to a foreign government. The Anthem cyber attack is currently the largest known incident of its kind, which serves to highlight a worrying trend.  In the last year, hackers have gained access to more than 4.5 million medical records from the University College of Los Angeles (UCLA) medical network, including the Ronald Reagan Medical Centre, and 11 million records from the American health insurance company Premera Blue Cross. The rate of attacks against the healthcare sector climbed to the highest level of all industries studied in 2015, and it appears that this pattern is set to continue throughout 2016 as data breaches in the healthcare sector are getting larger.


Hacker’s paradise

The healthcare sector is an attractive target for the anonymous cybercriminal as compared with other sectors, the healthcare industry’s approach to cyber security is generally poor, being amplified by a culture which has neither recognised nor prioritised the real security risk concerning the theft of patients’ sensitive data records. Recent cyber security studies across multiple industries have found an alarming laxity in many organisation’s approach to data security. A Cyber Security Breaches Survey revealed that two thirds (65%) of large UK businesses were hit by a cyber breach or attack during the last year. The research also found that almost half of the top FTSE 350 businesses regarded cyber attacks as the biggest threat to their business, but only a third of the UK’s top 350 businesses understand the threat of a cyber attack. A survey by Sophos earlier this year found that the healthcare sector had one of the lowest rates of data encryption, with only 31% of healthcare organizations reporting extensive use of encryption. A Sophos survey of the National Health Service (NHS) organizations in the UK found that encryption was “well established” in just 10% of them; while a 2016 study of hospital cyber security found that patient health records are “extremely vulnerable” because of a lack of focus on cyber attacks and insufficient training.

Beyond data breaches perpetrated by hackers, health data is frequently exposed through accidental loss, device theft and employee negligence. And it’s not just hospitals, doctors’ offices and insurance companies that are failing to protect healthcare data – private employers frequently leave their employees’ private healthcare information unencrypted. This information is attractive to cybercriminals as it typically contains credit card data, email addresses, social security numbers, employment information and medical history records – much of which will remain valid for years, if not decades. Cyber thieves are using that data to launch spear-phishing attacks, steal medical identities and commit fraud by making false insurance claims. The information that healthcare providers maintain about consumers is now more valuable on the black market than the credit card information that is often stolen from a retailer. Katherine Keefe, global focus group leader for breach response services at Beazley, which underwrites cyber liability policies states that: “The value to a criminal of having a full set of medical information on a person can go for $40 to $50 on the street. By contrast, a credit card number is often worth $4 or $5.”

Counting the cost

The financial impact of cybercrime has quickly become a threat to the economic stability, security and well-being of many nations across the world. The rapid digitalisation of consumers’ lives will increase the cost of data breaches to an estimated $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015. Figures collated for the Crime Survey of England and Wales for a six-month period during 2016 for the first time included questions about fraud and cyber offences. The results indicated that fraud and computer misuse accounted for 5.8 million crimes, meaning that on average, one in ten adults fell victim to cybercrime. The figures also revealed that when compared to other more traditional crimes, cyber fraud has now become the most prevalent crime in the UK with people ten times more likely to become a victim than they are to suffer a theft.

Law enforcement agencies continue to be challenged on many fronts in their efforts to protect online users from the volume of cybercrime. Through constant innovation, cybercriminals are developing increasingly sophisticated malware, rogue mobile apps and more resilient botnets. The cyber threat landscape is constantly changing with far-reaching vulnerabilities, faster attacks, files held for ransom and the continued presence of data breaches.  Cyber vulnerabilities – similar to those highlighted in the healthcare sector – remain a big part of the security picture and all the evidence from cybercrime-related threat and risk assessments indicate that the attackers are moving faster than the practical and operational implementation of effective cyber defences and counter measures.  This position is unlikely to change and the cyber attackers will continue to have the upper hand unless more can be done to anticipate future threats and risks which requires the ability to horizon scan for the weak signals indicating the early signs of new trends.

The current focus of hackers to conduct attacks on the healthcare sector represents another step in the evolution of cybercrime, but there are growing concerns that cybercriminals will seek to steal more of our bio identity data through fingerprint, facial and iris recognition data used to confirm identity for security clearance at ports, borders and other critical infrastructures and facilities, adding a new and sinister dimension to the phenomenon of cybercrime.