The Healthcare Cyber Heists report, compiled by US cybersecurity firm Carbon Black, recently compiled a stock market of the types of health data most sold on the dark web, from those regarding professionals in the sector to patients. The “full package” of all the documents needed to reconstruct the background of a medical professional, including identification data, degrees, medical licenses, as well as insurance documents is among the most expensive and costs around $500. Less expensive is the market for fake medical prescriptions, which can be purchased for figures between $10 and $120, or the login credentials to insurance portals, sold for a few dollars due to their rapid obsolescence once the breach is discovered.
It can be argued that each individual's health data, capable of giving a glimpse, when not completely revealing, the most intimate sphere of the person, are becoming a veritable gold mine for cyber criminals. But why do they seem to be so coveted? And what value do they possess? If health data is a target for cybercriminals, it means that there is a demand for it, and if there is a demand, there must be an economic return, within a specific 'underground health market'.
The value of health data
To understand the value of this data, one only has to consider the many illicit uses to which it can be put. They can be used to obtain prescription drugs (either for personal consumption or to resell them illegally), or to create false documents that allow unqualified individuals to pass themselves off as doctors and access healthcare services or deal with insurance companies fraudulently. In addition to practitioner data, health information also includes personal patient identification data, e-mail addresses, health card numbers, clinical reports such as diagnostic and laboratory tests, medicine prescriptions, and finally insurance data. The criminal purposes linked to the theft and sale of such data are of various kinds: they can be used to construct false identities, to demand sums of money as ransom in order to regain possession of the data themselves (e.g. sensitive information such as HIV seropositivity), to forge documents, e.g. birth certificates, driving licences, passports, to issue false medical prescriptions, or to obtain specific drugs.
As feared for instance by Matteo Bonfanti, Head of International Relations and Cooperation of the National Cybersecurity Agency (at this link his speech at the conference 'Cybesecurity and personal data protection in healthcare'), it cannot even be ruled out that among the buyers in this buying and selling system are also companies, interested in getting hold of 'big data" otherwise unattainable, e.g. pharmaceutical companies that could exploit the medical data packages on sale for research and development of new drugs, strategically orienting their business decisions and illicitly taking advantage of their competitors.
Careless behaviour
Having established that this kind of data, of which most of us may be unaware, is attractive to criminal interests, the other question that remains to be answered is how safe and 'protected' this same data is. A first element that helps to set the context is that, in all likelihood, healthcare personnel themselves are not fully aware of the risks involved in the possible misappropriation of this information. In fact, it may happen that doctors, in the performance of their usual duties, use means and tools not specifically designed for the health sector, thus bypassing a minimum level of security.
"Imagine such a scenario, quite common in the everyday life of a healthcare professional," observes a surgeon working in a public hospital in Veneto, who prefers to remain anonymous, and whose full interview can be read within this study. "Usually, it happens that we receive e-mails from other clinicians, who need to get a colleague's opinion, containing patient data. And these exchanges often take place on instant messaging systems like Whatsapp. A colleague of mine, for example, asks: is patient X bleeding, do we take him to the operating room or not? The message only states the surname, no first name and no date of birth, and the pathology of reference. It is obvious, however, that the patient is easily identifiable'. Situations like this are commonplace. A doctor who has acted in this way probably does not feel that he has made a mistake, yet he has provided ultra-sensitive clinical data through an instrument lacking the necessary security levels to transmit this type of information.
From official statistics on cyber-attacks addressed to the healthcare sector, it seems clear that most intrusions occur, or are at least facilitated, by the lack of adequate IT security practices on the part of medical personnel (think of the widespread phenomenon of phishing). It is possible that underlying this is a certain superficiality, a lack of perception of the real risk, or even a cultural problem. Indeed, often the implicit reasoning behind these attitudes is: I deal with patient health, I do not have the time or the expertise to deal with these aspects as well.
Moreover, the overall workload - both clinical and administrative - would seem to be perceived as an obstacle to taking adequate care of IT security aspects as well. "We healthcare professionals are overwhelmed by general, clinical and administrative issues, we have to study laws for drug administration, for care plans, spend ten to fifteen minutes of time just to enter the drug administration digitally, and then control and supervise it," continues the interviewed surgeon. 'The time to spend on the more proper aspects of data security, possible intrusions and cybersecurity in general is really residual'. There is also another point of view to consider, that of those who professionally deal with security within healthcare companies. Says, for instance, the software engineer interviewed anonymously as part of the above-mentioned research, and who works in the same healthcare company as the surgeon: 'There is a total recklessness in sending reports and analyses via WeTransfer or similar, and this is far from infrequent, indeed it is a common practice...The perception is that security is really a big pain in the ass, i.e. understood almost as a limitation of personal freedom, either because you cannot surf the Internet at your leisure, but on the sites indicated, or because you cannot transfer a clinical image to WeTransfer to get a second medical opinion'.
Solutions? Up-to-date technology, training and 'cyberculture'.
The evolution of cyber threats requires advanced and constantly updated technological tools - intrusion detection systems, encryption, multi-factor authentication and real-time monitoring software - but there is also a need for constant training of healthcare personnel. One of the challenges is to foster a growing 'cyberculture' through refresher and training courses that appear stimulating to practitioners and are not perceived as burdensome. In particular, training should be specifically targeted and tailored to the critical issues that each professional figure (doctor, nurse, administrative staff, providers) faces. Another possible solution could be to support third party figures (such as risk managers, specialists in data protection and computer security experts) to clinical professionals: however, it must be taken into account that the professional class that could perform these highly multidisciplinary tasks is only recently being formed.
Attempting to predict how healthcare will evolve, one can, on closer inspection, imagine an increasingly hybrid future scenario: some healthcare services will continue to be provided on site, others will remain hybrid, i.e. partly present and partly virtual (e.g. tele-monitoring and tele-referral), others will become exclusively virtual (such as a tele-visit). The perimeter, therefore, to be secured will tend to widen, moving from a 'hospital-centred' healthcare to a home-based involvement of the citizen, with a consequent greater number of data in circulation and more and more people involved in the, already complex, healthcare organisation chart.
