Over the past couple of days I’ve been at the HITRUST 2015 conference along with many of my peers who work in cybersecurity and compliance.
As I sat with people at lunch I posed a question to them.
What would a criminal pay for a healthcare record?
According to CNN, NBC and other news channels the answer is $50. It’s a nice round number, but how did they arrive at it? More importantly, what did my peers have to say?
The first comment I’d like to make is that people really believe what they are told by the media without too much investigation. Every single person I asked authoritatively said “$50!” but could produce no evidence other than having heard this on TV. One CEO pointed out that when he’d gone looking for evidence himself he really hadn’t been able to find any.
The best answer I received was during the Crowdstrike breakout session during which Adam Meyers, VP of intelligence gave an insightful talk about how they’d traced some hacking behaviour to the Chinese military. At the end of the session, I posed my question to him.
Adam looked thoughtful and then gave a well reasoned answer. It’s impossible to really estimate a value without surveying criminals, but Crowdstrike does spend time listening to criminals in chat rooms. Their research placed the value of a record at between $10 and $10,000 with the median being somewhere between $10 and $50 and probably more on the $10 range.
I’ve also heard that healthcare records are ideal for identity theft, and it’s true that they do contain a great set of data about an individual. Having said that, the information from the Target breach was more than enough for the purposes of identity thieves. More data is not really a great benefit to this type of criminal.
Adam concluded that the vast number of medical records are being sold for the purposes of medical insurance fraud, a burgeoning market in the U.S, where fee for service reimbursement provides an easy threat surface.
This was an interesting insight about an issue I’d never really thought through enough, and I hope it gets you thinking as well. Kudos to Adam for a great answer!