One of the many troubling trends in dark web black markets is the buying and selling of PHI – protected health information. This is data illegally retrieved from hospitals, clinics and other healthcare institutions by hackers who take advantage of weaknesses in their cyber-security. PHI typically includes social security numbers, dates of birth, names of relatives, medical procedures and results, and in some cases billing and financial information or background information such as criminal records.
What hackers do with the protected health information
PHI is typically sold in bundles that cyber-criminals call “fullz”. Fullz are records of structured personal information that can later be used for various kinds of fraud and extortion such as banking and credit fraud, healthcare fraud, identity theft and ransom extortion. In some cases, fraudsters are interested in buying specific medical records as in the following case.
Cynerio’s researchers follow dark web activity related to hacking of medical devices, using Sixgill’s dark web monitoring technology. While posts about exploitation of medical information systems and stolen patient information are quite common, we are still sometimes surprised by certain alarming posts, like the following one.
This is a dark web market vendor selling fullz acquired from pediatricians’ databases to fraudsters who might be interested. The wording used to advertise this package is particularly disturbing – “the kids are born 2000+ and generally speaking come from good families that can provide medical support.“ It appears evident from this description that the stolen information may be used for extortion.
The vendor also links to his “cashout” guide. Cashout guides are commonly offered by vendors who sell “fullz to help the buyers understand how to make money out of this kind of data.
Based on deployments of Cynerio’s cyber-security solution in hospitals, we’ve seen that children’s PHI’s can be more than 10% of total PHIs, and their data is often transmitted over the network unencrypted and unprotected, and stored in medical servers that aren’t sufficiently cyber-protected.
Sadly, there’s a very high probability that we’ll continue seeing offers of this nature.
Selling stolen health information is only one of the things hackers do on the dark web. Our researchers came a across and interesting post from a vendor offering SMTP servers to interested clients (e.g. spammers, phishing campaigners, malware distributors etc.). What caught our eye was the end of the message in which the vendor mentions that ‘if you want Hospital server just leave us a note “I want hospital server”’. This is interesting because it could be for clients who are interested in sending malicious emails from a hospital domain because they are planning a spear phishing campaign against healthcare targets. It also shows that the vendor has remote code execution access to computers within hospital networks.
Why is this happening?
The fact that healthcare providers’ databases can be hacked, dumped and sold to the highest bidder (with the lowest morals), is quite troubling. Healthcare systems store some of the most sensitive and private information about us, and this information is exposed to a wide range of cyber-attacks on a huge attack surface, stretching from servers that store patient data in bulk, through nursing-station desktops, to a variety of connected medical devices. Most of these clinical systems are poorly patched and communicate through unsecure channels. Hackers take advantage of this to get hold of our most sensitive information.
Putting those two facts together – the ubiquity of PHI in healthcare systems, and ease of infiltration and exploitation – it should come as no surprise that healthcare hacking events have been continuously increasing over the past years.
Today, it’s more important than ever for healthcare security leaders to have increased visibility of their clinical systems, and how they handle PHI, in order to ensure patient data protection.