FBI Discusses Cyber Threats to Healthcare Data

FBI Cyber Division Section Chief John Riggi discussed the current cyber threat landscape to healthcare data in his keynote address at the Healthcare Compliance Association (HCCA) 2015 Compliance Institute in Orlando, Florida. He emphasized that cyber threats are very active and growing by both nation states and organized crime, most typically from Eastern Europe, Russia, China, and Iran. In many of these cases, the primary objective is to exfiltrate personal data sets.

Interestingly, they having grown in sophistication and often use your social media profile to craft highly effective spear phishing attacks as a means for gaining access. Once access has been achieved, they will just “phone home” while escalating privileges and building a network map. “The criminal motivation is primarily to steal and monetize your data”. The healthcare sector is uniquely valuable in that it is the only one where there is access to PII, credit information and PHI, all in one place.

Once data is exfiltrated, the cyber criminals will use the “dark web” in order to monetize the data. While credit cards will sell for between $0.50 and $1.00 each, health information data, including name, DOB, policy numbers, etc., will sell for $60.00 to $70.00 for each data record. This creates and extraordinary financial opportunity for organized crime and adverse nation states.

The acquirers of this data will then finish the criminal chain by using the PHI to perpetrate various types of fraud, including medical device fraud, prescription fraud, healthcare/Medicaid fraud, identity theft, tax fraud, among others. These fraud scenarios then negatively impact the U.S. healthcare system and economy in a very costly and insidious manner.

Much of this scenario has been going on for some time now. But the Sony breach was a “surprise” to the FBI, per Mr. Riggi. It was notable in that it was perpetrated by a nation state solely for the purpose of disrupting a company that was not aligned with their point of view. And done very effectively at that.

As a result of the Sony breach, the FBI has developed a different “model” for dealing with the corporate “victims” of data breaches. He noted that often organizations that experience a data breach are demonized for the lack of foresight and controls. Because of Sony, the FBI has revisited its philosophy in dealing with these corporate “victims”. “If we don’t treat victim companies well, they will be less likely to come forward when they have been attacked.” This of course makes good sense and will hopefully result in companies being forthcoming when they are targeted by cyber attacks.

So the FBI developed their “Sony model” for working with cyber attack corporate victims. Its key elements were:

• Emphasis on the victim company
• Single point of contact for the USG
• Determination of attribution
• Mutual information sharing
• Established trust
• Partnership
• Embedded special agents

It may well be that the Sony hack will usher in a new era in cyber crime. No doubt organized crime and nation states will continue to target organizations for the purpose of acquiring and monetizing personal data. It will not be surprising, however, to see more attacks similar to that at Sony where the ultimate purpose is more about disruption rather than monetization. Clearly, such attacks can be carried out very successfully in terms of achieving the ultimate goal of disrupting the business, injuring key corporate stakeholders, and impairing the value of the enterprise.

So here we are in 2015. It is a brave new world in cybercrime. Thanks very much to Mr. Riggi for sharing insights gained by the FBI.