President Obama is at Stanford University today, hosting a cybersecurity summit. He and about a thousand guests are trying to figure out how to protect consumers online from hacks and data breaches.

Meanwhile, in the cyber underworld, criminals are trying to figure out how to turn every piece of our digital life into cash. The newest frontier: health records.

I grab a chair and sit down with Greg Virgin, CEO of the security firm RedJack.

"There are a lot of sites that have this information, and it's tough to tell the health records from the financial records," he says.

We're visiting sites that you can't find in a Google search. They have names that end with .su and .so, instead of the more familiar .com and .org.

After poking around for about an hour, we come across an advertisement by someone selling Medicare IDs.

We're not revealing the site address or name because we don't want the dealer to know we're watching.

According to the online rating system — similar to Yelp, but for criminal sales — the dealer delivers what's promised and gets 5 out of 5 stars. "He definitely seems legit" — to the underworld, Virgin says.

The dealer is selling a value pack that includes 10 people's Medicare numbers – only it's not cheap. It costs 22 bitcoin — about $4,700 according to today's exchange rate.

Security experts say health data is showing up in the black market more and more. While prices vary, this data is more expensive than stolen credit card numbers which, they say, typically go for a few quarters or dollars.

Health fraud is more complex. Records that contain your Social Security number or mother's maiden name are used for identity theft. Virgin predicts hackers could be using them for corporate extortion.

"A breach happens at one of these companies. The hackers go direct to that company and say, 'I have your data.' The cost of keeping this a secret is X dollars and the companies make the problems go away that way," he says.

Health care companies saw a 72 percent increase in cyberattacks from 2013 to 2014, according to the security firm Symantec. Companies are required to publicly disclose big health data breaches. And there have been more than 270 such disclosures in the last two years.

Jeanie Larson, a health care security expert, says cyber-standards are too low for hospitals, labs and insurers. "They don't have the internal cybersecurity operations."

Companies subject to federal HIPAA rules, which were designed to protect privacy, choose to interpret them loosely — in a way that gets around the basics, like encryption.

"A lot of health care organizations that I've talked to do not encrypt data within their own networks, in their internal networks," she says.

They assume, incorrectly, that the walls around the network are safe.

Larson is part of the industry group National Health ISAC which is trying to raise the bar and make hospitals more like banks when it comes to investing in security.

"The financial sector has done a lot with automating and creating fraud detection type technologies, and the health care industry's just not there," she says.

Orion Hindawi with Tanium, a firm that monitors computer networks, says health care providers are far from there. They've been racing to grow, to digitize health records, to make mobile apps, to acquire other companies — all this without having a basic handle on how big their networks even are.

"I was working with a customer recently, and I asked them how many computers they had. And they told me between 300,00 and 500,000 computers," Hindawi says.

Meaning his client basically didn't know.

"We see that often when we walk into a customer [office]," Hindawi says.

He wasn't surprised to hear that the health care company Anthem suffered a major cyberattack. Anthem revealed last week that as many as 80 million people's records may have been stolen. Hindawi says he expects to see many more Anthems.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

DAVID GREENE, HOST:

President Obama is at Stanford University today hosting a summit on cybersecurity. He and about a thousand guests are discussing ways to protect consumers online from hacks and data breaches. Meanwhile, in the cyber underworld, criminals are trying to figure out how to turn every piece of your digital life into cash. NPR's Aarti Shahani takes us to another frontier in the digital black market - health records.

AARTI SHAHANI, BYLINE: I grab a chair and sit down with Greg Virgin, CEO of the security firm RedJack.

GREG VIRGIN: There are a lot of sites that have this information. And it's tough to tell the health records from the financial records.

SHAHANI: We're visiting sites that you can't find in a Google search. They have funny names - names that end with .su and .so instead of .com and .org. We poke around for about an hour and come across an advertisement, someone selling Medicare IDs.

VIRGIN: The username on the [bleep] site [bleep]...

SHAHANI: We're not airing key details because we don't want the dealer to know we're watching.

VIRGIN: So all of his reviews are 5 out of 5.

SHAHANI: He seems legit.

VIRGIN: Yeah, he definitely seems legit.

SHAHANI: Legit to the underworld, that is. The dealer is selling a value pack that includes 10 people's Medicare numbers - only it's not cheap.

VIRGIN: Twenty-two bit coins is about $4,700.

SHAHANI: While prices vary a lot, this data is more expensive than stolen credit card numbers, which typically go for a few quarters or dollars. Health fraud is more complex. Records that contain your Social Security number or mother's maiden name are used for identity theft. And, Virgin predicts, hackers could be using them for corporate extortion.

VIRGIN: The breach happens at one of these companies, the hackers go direct to that company and say, I have your data, the cost of keeping this a secret is, you know, X dollars. And the companies make the problems go away that way.

SHAHANI: Health care companies saw a 72 percent increase in cyberattacks from 2013 to 2014, according to the security firm Symantec. Companies are required to publicly disclose big health data breaches. And there have been more than 270 such disclosures in the last couple of years. Jeanie Larson, a health care security expert, says hospitals, labs, insurers - their cyber-standards are too low.

JEANIE LARSON: They don't have the internal cybersecurity operations.

SHAHANI: Companies subject to federal HIPAA rules, which were designed to protect privacy, choose to interpret those rules loosely - in a way that gets around basics, like encryption.

LARSON: A lot of health care organizations that I've talked to do not encrypt data within their own networks - in their internal networks.

SHAHANI: They assume, incorrectly, that the walls around the network are safe. Larson is part of an industry group called The National Health ISAC that's trying to raise the bar, make hospitals more like banks when it comes to investing in security.

LARSON: The financial sector has done a lot with automating and creating fraud detection type technologies, and the health care industry's just not there.

SHAHANI: Orion Hindawi with Tanium, a firm that monitors computer networks, says health care providers are far from there. They've been racing to grow - to digitize health records, to make mobile apps, to acquire other companies - all this without a basic handle on how big their networks even are.

ORION HINDAWI: I was working with a customer recently, and I asked him how many computers they had. And they told me between 300,000 and 500,000 computers.

SHAHANI: Meaning his client basically didn't know.

HINDAWI: And we see that often when we walk into a customer.

SHAHANI: Hindawi wasn't surprised to hear that the health care company Anthem suffered a major cyberattack. Anthem revealed last week that as many as 80 million people's records may have been stolen. Hindawi says he expects to see many more Anthems. Aarti Shahani, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.

300x250 Ad

Support quality journalism, like the story above, with your gift right now.

Donate