As the adoption of electronic health records has reached unprecedented levels and continues to rise rapidly, the issue of criminal activity related with unauthorized patient data acquisition, black market distribution, and illegal exploitation/use becomes increasingly important. This article will provide a historical review of recorded data breaches that resulted in extensive patient data leaks as well as subsequent efforts of monetization via black market structures that utilize the anonymity and counter-tracking environment that the dark/deep web and cryptocurrency provide. It will also focus on the methods and tools used by the villains, the types of vulnerabilities that can result in a successful attack, as well as latest developments and future trends in the field of scientific, technical, and legal/regulatory countermeasures that can be employed in order to prevent sensitive health data from falling into the wrong hands.
TopIntroduction
One significant benefit of the development of information technology is its positive impact on the health sector. Over the last years, the use of electronic patient records has illustrated rapid expansion. The advancements in health information technology, the limited potential of the traditional processes and the need for flexible access to health information, have promoted new paradigms and as a result, personal health record (PHR) systems, empowering both patients and healthcare providers, present a constantly evolving area for research, development, and implementation (Genitsaridi, Kondylakis, Koumakis, Marias, & Tsiknakis, 2015). The technological challenges intertwined with the increasing adoption of such tools and platforms are optimally addressed with the rise of Cloud Computing (Martens & Teuteberg, 2012) which is formally defined as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction” (Mell & Grance, 2011). Promising coherence and economies of scale through the ability of robust sharing of computational resources, Cloud Computing has been a continuously evolving sector over the last decades (Guzek, Bouvry, & Talbi, 2015).
Furthermore, the availability of large medical datasets for secondary purposes such as research has become a powerful tool for producing knowledge and information, leading the medical and health care sector to a new, more personalized level. Large-scale biomedical databases are created and continuously enriched for research purposes while providing the right tools for handling and analyzing their content (Dankar & Al Ali, 2015). Researchers using personalized patient medical data have the ability to present valid and reliable data, to reuse existing data, and to compare the results of their study with similar ones based on the same database (Emam, 2013).
As the type of data shifts toward electronic records and large datasets are made accessible via distributed networks and the world wide web, hospitals, and other health providers increasingly suffer from data breaches whose nature likewise shifts toward electronic means, such as hacking (Spitzer, 2018). A data breach is “an impermissible use or disclosure that compromises the security or privacy of the protected health information and is commonly caused by a malicious or criminal attack, system glitch, or human error” (Bai, Jiang, & Flasher, 2017). Breaches can be conducted by a variety of ways, including credential-stealing malware, an insider who either purposefully or accidentally discloses patient data, or lost laptops and smart devices (Center for Internet Security, 2018).
Healthcare industry is highly targeted by cybercriminal organizations and individual hackers, as, according to research, an individual’s medical data, are 20 to 50 times more valuable to cybercriminals and black market than other types of targeted information, e.g., personal financial data, credit card details, social security numbers, etc. (Center for Internet Security, 2018). Therefore, cybercriminals have higher incentives to target databases with medical content in order to sell or exploit the sensitive information for their own personal gain (Center for Internet Security, 2018). In this context, it is not a coincidence that the biggest recent data breaches have seized health care records as the prize.
Access to highly sensitive medical information which is exposed through data breaches, gives cybercriminals the opportunity to commit identity theft, medical fraud, extortion, and the ability to illegally obtain controlled substances (Kruse, Frederick, Jacobson, & Kyle, 2017). More specifically, patient records can be used for various types of financial gain, including (Boden, 2018):
- •
sale on the Dark Web
- •
fraud commitment (tax, insurance frauds)
- •
extortion of people whose disclosure of illness could provoke public relationships problems and difficulties in their working environment
- •
targeted phishing campaigns against individuals whose records were leaked