Why is your personal health information worth 350 dollars on the black market?
A woman who died in Duesseldorf University Hospital during a ransomware attack might be the first victim linked to a cyberattack on a hospital. Bentsi Ben-Atar, a prominent cybersecurity expert, and chief marketing officer at Sepio Systems, says that it “only takes a number of highly publicized attacks” to drive significant budget increases in cybersecurity. At the moment, the healthcare system worldwide doesn’t invest enough to shield themselves from cyberattacks.
Why is your medical data worth hundreds of dollars on the black market? How can your keycard be used to hack into a hotel? CyberNews spoke to Bentsi Ben-Atar to find out. He now works as chief marketing officer at Sepio Systems. After graduating from Tel Aviv University, he joined the technology unit of the Israeli Army Intelligence Corps. In 1998, he co-founded WebSilicon, which specialized in delivering advanced networking and security systems.
Since he dived into cybersecurity, the field has changed enormously. As a major leapfrog, Bentsi Ben-Atar mentioned hardware technology that used to be extremely costly, and only organizations such as the National Security Agency (NSA) could afford to use it. Now top-notch technology is available to the general public. For example, a ninja USB cable can be bought for only 89 dollars or even less.
According to Bentsi Ben-Atar, healthcare is one of the most vulnerable sectors to cyberattacks. Personal health information is worth hundreds of dollars on the black market, as malicious actors can fake insurance claims or purchase drugs with stolen prescriptions.
Are the cybersecurity solutions and specialists catching up with the malign actors? CyberNews asked Bentsi Ben-Atar.
In general, we will always be behind the attackers. The industry reacts to certain incidents and certain use of technology to hopefully confront the next challenge. There’s some academic research being done on attack methods that haven’t been deployed yet.
So, in some areas, we do have progress and we do have some advantages over the attackers, for example, in analyzing and understanding how these future attacks, which are non-evident yet, could be mitigated.
But in most cases, we follow and react to what attackers are doing. You can see that in, for example, ATM attacks. There was a very clear evolution in attacks on ATMs. At first, people were connecting dynamite and explosives to ATMs, trying to force their way into the safe. Then they moved to electromechanical solutions by using card skimmers and shimmers. Following each incident and attack on the ATM, the industry reacted and reinforced security measures, and now there’s an entire design of card insertion mechanism, and cash disposals are more protected now.
Again, the attackers are never standing still. Now they are attacking the network interface or the network cable that is connected to the ATM, which is now still very unprotected. They will probably move to the next interface. In most cases, we will chase them.
So there’s no need to explode the ATM. But, according to a Reuters report from 2018, approx. 70% of ATMs are still vulnerable. Has the situation improved in the last two years? How often do the ATM attacks happen?
In some cases, depending on the specific day of the year, if it’s a weekend before a long holiday period, in highly populated areas an ATM could hold up to a million dollars. In most cases, they will hold several hundreds of thousands of dollars. Because of the new regulations enforced worldwide, it is extremely difficult for attackers to run a large payment on SWIFT based or other international systems.
So they moved into ATMs. There are countries like Sweden that are trying to minimize the use of cash and it is very difficult to find an ATM there. In other countries, such as the US, the ATMs are still very dominant. And there’s a list of newly introduced vendors, whose ATMs are highly distributed - in each store, every corner of the street you can find those smaller ATMs. In some cases, they lack the required level of security.
What sectors and industries are better prepared for cyberattacks? I know that the healthcare sector is vulnerable and does not invest enough in cybersecurity.
If you look at the numbers that were published from unbiased entities, you see that although the healthcare vertical is the most heavily hit vertical, it is only 2nd or 3rd in regards to the budget allocated to cybersecurity. Banks and financial institutions are the front runners with regards to budgets allocated to protecting their enterprises.
Losing significant amounts of money and credit, and various regulations, such as the GDPR (the General Data Protection Regulation), that are enforced on the banking industry, motivates them to invest a lot of money.
The healthcare industry is not there yet. But it only takes a number of highly publicized attacks to drive a significant budget towards this vertical. Disabling of life-support equipment, whether it’s an MRI machine, or CAT scan, or X-ray machines, can significantly damage or cripple healthcare organizations. I think that budgets will be adjusted accordingly as well.
Can you name a few incidents when the healthcare sector experienced a cyberattack?
During the COVID-19 pandemic, there were several incidents related to ransomware attacks. But it hasn’t started with the COVID-19 era. In Eastern Europe, an esthetic clinic was hacked. That’s an excellent example. You have some sensitive visuals (before and after pictures) that sometimes can be extremely intimate. From the attackers' perspective, the willingness of a clinic to pay ransomware or any type of extortion fee is high, since the leakage of such visuals would be very embarrassing.
The Singapore SingHealth incident happened about 1.5 year ago, in the pre-COVID era. 1.5 million medical records, including that of the prime minister, were leaked. A couple of weeks later, the entire database of HIV-positive people in Singapore was leaked.
During this pandemic, people are cutting corners with regards to the introduction of equipment, whether it’s IT equipment or specific healthcare equipment. There was a rush towards the use of Raspberry Pi platforms as ventilator platforms (Read more: Coronavirus: Raspberry Pi-powered ventilator to be tested in Colombia).
Raspberry Pi is an extremely popular platform, both for the legitimate community, and the hacking community as well. All those ventilators that were quickly fabricated using Raspberry Pi as their main platform are now very sensitive and vulnerable to attacks. You have an example for that in the Nasa, where Raspberry Pi that was in their network and was used to leak out the documents (Read more: Raspberry Pi used to steal data from Nasa lab). Once these types of devices are introduced in the healthcare industry, then we will see more incidents.
Author’s note: CyberNews spoke to Bentsi Ben-Atar before the report about a woman’s death in Germany, Dusseldorf. The woman is believed to be the first cyberattack victim in a hospital as she died during a ransomware attack. Also, it was reported recently that Roper St. Francis Hospital (RSFH) in the United States suffered a data breach, around 6000 patients were affected. The leaked information contained names, birth dates, detailed medical records, insurance information, and Social Security numbers.
Why is medical information worth much more on the black market? Personal health information is worth around $350 on the black market, while personal information is being sold for only $2?
Everyone can answer that individually. How much would you pay for someone not to publicize an esthetic surgery that you had on an intimate organ? How much would you pay for these pictures not to show up? From the attacker's perspective, the fact that they know the name of the person in those visuals… In some cases, the attackers approach the patients themselves and not the facility. When you get an email with a sample picture of yours, or any sensitive medical data, you would pay €1000 to make it go away.
How big is the medical data market in the dark web? Probably attackers approach a person or a clinic and do not put this data for sale.
In the darknet, you see a lot of replicates of the same data. Once you purchased the same database, then you can go and try to sell it yourself in the darknet. So you just see a lot of replicas of the databases that are being offered.
With ransomware, it’s a bit different. You have specific targets and campaigns in mind. You don’t even have to be an expert in running a ransomware campaign. You can outsource that as well. You can give an attacker that provides his service as a hacker for hire against the facility that you want to hack into, and the attacker will have all the required data and information that you need to run these kinds of ransomware attacks. It could be used to cripple that specific healthcare institute, disrupt its business operations.
How much would you pay for someone not to publicize an esthetic surgery that you had on an intimate organ? How much would you pay for these pictures not to show up?
Companies and individuals willingly surround themselves with devices that can become entry points for bad actors. Can you elaborate on this?
There’s always a conflict when you are trying to manufacture various products. You want to make them cheap. Whether it’s cameras or biometric sensors, all of these devices compete with thousands of vendors worldwide. A lot of them are coming from mainland China, which is manufacturing most of the electronics goods.
It’s part of a budget constraint. These devices can’t be fully tested, and fully security-hardened. In some cases, especially under the IoT domain, the hardware platform that is used for those devices can’t run applications securely. In some cases, they would not even run operating systems, or they will have very limited computational resources. Running security features takes a significant part of the computational resources of that product.
When you are trying to get an extremely cheap camera, you cut corners, and maybe you will do just the required minimum. It’s not good enough for the challenges that we have today.
In a corporate blog, Bentsi Ben-Atar explained how hotel keys can be entry points for malicious actors, as these IoT devices are usually easier to target. Criminals can gain access to the hotel’s network, and hijack the system that controls the keycards, with hotel management being unable to regain control until the ransom is paid.
We will continue facing these challenges, as we will work or study from home, where a lot of devices can become rogue devices, right?
During the peak of the first coronavirus wave, we saw a significant surge, both in newly introduced devices and the number of vulnerable devices. This is due to several reasons. First of all, the entire physical security aspect of enterprises has been eliminated. When you work from home, no one knows who is sitting next to you, whether it’s a criminal pointing a gun at you, a cousin with a criminal record, or your 5-year old. The entire physical security of the enterprise has been eliminated. That poses a significant risk because that was always a key part of any enterprise security scheme.
Because you need to provide people with a platform, whether it’s a laptop, a desktop, a camera, or a keyboard, you are under that pressure again, so you cut corners. You may be purchasing refurbished computers that could have been manipulated. Or employees would use devices that they found at home, whether it’s a kid's keyboard or a camera that could be vulnerable. We did see a significant surge in those incidents.
There’s another effect when working from home. The office is left unattended. Since everybody is wearing a mask, and there are not a lot of people in the offices, it’s heaven for the potential attackers to implant a device into enterprises' infrastructure. They can walk around, people will keep their distance, less suspecting.
As an attacker, you can have your tool inserted more easily than in the pre-COVID era.
And, as we work from home, there are so many entry points, right?
Companies invested a lot of money in training people in regards to not clicking on suspicious links. But when you work from home, in some cases the employee's laptop is the only computer at home, and several kids need to use it for remote learning, and they are less trained to identify those risks and might click on a suspicious link.