ePHI – Most Valuable Data Records Sold on the Dark Web

“HIPAA Security Officers – Your networks really ARE the PRIMARY target of the ‘Bad Guys’, ‘Bad Actors’, ‘Hackers’, etc. Whatever you want to call them, make no mistake – you are charged with safeguarding what they want. Do your security countermeasures rise to the level of the threat or are you simply content with being HIPAA Compliant?”

That is how a quick LinkedIn response started.  It caught the eye of enough people that I was asked to expand on it a little.  I will ask questions throughout this article, however, most won’t be answered as they are intended to make you think.

What Does HIPAA Compliance Mean to You?

HIPAA was written for one primary reason – to provide guidance on how to safeguard personal healthcare information (PHI).  It is by no means perfect, and in many ways it’s very ambiguous and widely open to interpretation. However, and this is from my old military days, the “Command Intent” was to charge those in possession of PHI (or the electronic version, ePHI) with the duty to safeguard those records.  It is so important that the Department of Health and Human Services has appointed HIPAA Security and HIPAA Privacy Officers who are commissioned primarily to carry out the duties of protecting, controlling access to, and reporting failures of confidentiality, availability and integrity.

The intent is protection, not merely compliance.

Like most legislation that is written and negotiated in committees, reviewed only on rare occasion by subject matter experts, and then passed into law by politicians trying to offend as few people as possible, HIPAA is incredibly long and complex while leaving many burning questions for those who fall under its shadow. Questions like the following were not uncommon:

• “Do WE need to be compliant?”
• “Are we already compliant?”
• “How is HIPAA compliance achieved?”
• “How much will compliance cost us?”
• “How likely is it that we will be audited?”

These questions, and many others, have taken precedence over the overarching Directive of HIPAA. The “Command Intent” is the safeguarding of personal medical records — yours, mine, your children’s, grandchildren’s, our parents, and everyone else.  The intent is protection, not merely compliance.

What’s the Big Deal Anyways?

A few years ago, in an effort to find a new family doctor, I found myself participating in the following conversation. “All the records are out there for anyone to see,” said the doctor we were considering, “so what’s the point of protecting the records anyway?” Over the years, I’ve heard this time and time again. Yet another doctor arrogantly stated, “If they want all the medical records I have, they are welcome to them. What do they really want with medical records anyway? Credit card info and social security numbers are way more valuable!” Needless to say, neither of these doctors became the trusted family physician.

ePHI is VERY VALUABLE on the Dark Web. These records go for anywhere from $70 to $98 per record consistently. I was told one recent auction ended with a high bid of $114 per record for a block of 16,000 records!  Contrast that with credit cards. Credit cards with valid pins are going for $15-30 or less depending on type and country of origin, but only if user data was supplied as well. Raw credit card numbers without pin and user data go for a dollar to a few cents.  WHY?  The incentive is insurance fraud.  When a criminal uses your leaked data to file a fraudulent medical claim, he not only gets paid the reimbursement from the insurance company, but he also gets to resell the medical devices that “you” required. A few fraudulent claims here and there may go unnoticed for quite some time.   Make sure you set your likelihood of attack to 100% on your risk matrix.

Just because a countermeasure is in place for a specific threat vector doesn’t mean it’s particularly effective. Though compliant, you could still be vulnerable.

Are your Business Associates going to be a target? YES!! As a part of our audit process, we request to see copies of Business Associate Agreements. Frequently this question elicits a blank stare.  Who do you have VPN’s with?  Are you restricting ports, or are TCP 445 and 139 open on your VPNs?  What due diligence have you done on your BA partners and vendors?

Compliance Vs. Security

If compliance is your primary goal and focus, you will not ask yourself the right questions. Just because a countermeasure is in place for a specific threat vector doesn’t mean it’s particularly effective. Though compliant, you could still be vulnerable.

Let’s look at passwords, for example.  You have a written password policy that addresses minimum length (HIPAA requires 8, we recommend 10), complexity, change frequency, etc. You have a Group Policy Object (GPO) that pushes out these requirements. If you are checking for compliance, put a green check mark and move on.

For contrast, let’s now consider that you’re checking for security (effectiveness of the countermeasures). Your process might include a password audit of the SAM database or simply capturing a few NTLM hashes to see how easily they can be cracked.   Here are some real-world issues we have seen:

• 90% of users have passwords 6 or 7 characters long
• Passwords very commonly consist of first name, last initial or use the local sports team
• Employees love to use words like “P@55W0rd!” (2 upper, 2 lower, 2 special, 9 characters)
• The GPO can be applied to the wrong object or passwords set to never expire

I could give hundreds of other examples for issues with user passwords,  but the same thing happens on Patch Management, Firewalls, and Audit Trails. Bottom line, if you are not testing the effectiveness of all security controls as part of your HIPAA Audit or GAP analysis, it is a “Feel Good” check box assessment that does not address the “Command Intent” of HIPAA to safeguard the patient information entrusted to the organization. Sadly, “Feel Good” audits are common place in today’s HIPAA and HITECH world. Meanwhile, breaches occur more and more frequently and many are paying the price.

If all you care about is compliance, you probably stopped reading several paragraphs back. However, if you are serious about safeguarding ePHI entrusted to you, start with this checklist concerning your security vendor.

• What tools will they use to assess the effectiveness of your countermeasures?
• Will they perform any social engineering?
• Will their team have network engineering or administration experience?
• Does their team have any penetration testing experience?
• Do they provide remediation services or is there ANY fiduciary incentive to find something wrong or recommend a particular product?

HIPAA Privacy and HIPAA Security Officers, whether you realized it or not, you have been charged with safeguarding PHI. Today’s threats to PHI are real, they are pervasive, and they are persistent. Do your security countermeasures rise to the level of the current impending threat landscape? Or are you simply content with being HIPAA compliant?

Tim Crosby, CISSP, CSA+ SME
Sr. Security Consultant
Spohn Consulting

Office: (512) 685-1820
https://spohnsolutions.com
[email protected]
https://www.linkedin.com/in/tim-crosby-cissp-05870915