Vaccine credentials – Rising motivation for identity theft in healthcare
Estimated reading time: 7 minutes
Head of Intelligent Advisory at IntSights, Paul Prudhomme, saw how out of all industries, healthcare is impacted most directly by cyber attacks. Intsights, a Rapid7 company, is an external threat intelligence platform that studies many different industries.
“It can be something as simple as healthcare organisations being overburdened. If you have overloaded intensive care units (ICUs) or COVID wards, it just makes it easier to click on the wrong link or the wrong malicious attachments, and get compromised.”
Table of contents
Paul also added, that ransomware operators have historically preferred healthcare organisations as targets long before the COVID pandemic. This has exacerbated seeing how vulnerable healthcare is now.
“Also is the fact that there are more datasets that are ripe for criminals to take advantage of – COVID vaccination records, test results, and more – this is another source of patient data for criminals to use for identity theft,” Paul said.
Besides that, is intellectual property (IP) for vaccines and other COVID treatments that are ripe for theft or compromise.
“Many international players are very interested in getting their hands on that. So any company that has that sort of intellectual property is almost certainly going to become a target,” Paul pointed out.
Valuable data – all about you
Another reason why healthcare is most impacted, has to do with how rich healthcare data is with information. Which leads to this brief distinction between patient data and personal identifying information (PII), that Paul wanted to highlight.
“A lot of the data points that patient health information (PHI) has might be the same as PII, but because it comes from a healthcare record, it has special status. In other words, losing your data of birth, or social security number can compromise business.
“But, data that comes from part of a patient’s medical record means it can contain a list of your medical diagnoses, medical procedures, treatments, health insurance, and things like that. That is a special status.”
The point is identity thieves and fraudsters can get this information easily from any number of sources now. And there is demand for this.
“The healthcare industry is probably the richest and most popular source of that data. Currently, we see a lot of people getting COVID tests and/or getting their records in a vaccine registry, and getting vaccine passports.
How likely are you to open an email that came from your doctor if there is urgency to the email title? An attacker could easily attach malware to the email and compromise your computer or mobile phones for further compromise.
“That just creates more surface for the attackers to work with. We are now more vulnerable and exposed to having their identity compromised, because of demand for vaccine passports to be able to do most of the things we did pre-pandemic,” Paul said.
How are criminals leveraging the data?
Imagine a cybercriminal posing as a legitimate and authoritative organisation, like the hospital, or the doctor that you usually go to.
How likely are you to open an email that came from your doctor if there is urgency to the email title? An attacker could easily attach malware to the email and compromise your computer or mobile phones for further compromise.
However, Paul noted the main application for these data are fraudulent credit cards. With enough information, they could apply for a credit card in somebody else’s name, and then go use that. “It’s really a gift that keeps on giving.
“Credit card information combined with enough information about the owner makes it much more useful to identity thieves who could take a bank loan in another person’s name. Which is why healthcare in particular, the protected health information is so important because there’s so much detail in it.”
He also noted the diversity of themes in spam and phishing and other social engineering SMS and emails, has exploded over the past two years.
“We have seen a proliferation of health themes in particular, like vaccines, health insurance coverage and more. And not just for patients but healthcare individuals themselves. If a doctor gets something that looks like a COVID test result for his patient, it’s harder and harder for him to ignore it now.”
The whole purpose of so many of these social engineering attacks is to exploit fear and uncertainty and anxiety and Paul observed it was amazing to see how quickly the attackers adapted to and exploited the new circumstances.
Internet of Medical Devices – an attack vector
Another attack vector that’s a bit more specific to the healthcare industry is medical devices.
Paul described them as being more vulnerability-prone than other devices on the network. “And there are several reasons for that – they are not designed to facilitate security updates, and many of them will tend to run on older operating systems.”
“But at the same time, it’s harder to make money off of that. From a more practical perspective, these devices are mostly useful just as a point of initial access, and also as a hideout, or a persistence mechanism (to remain in the network and environment).”
Notably, there are also often issues with the way healthcare organisations deploy these medical devices/equipment/machines on their network.
Paul said, “When an attacker is going through and scanning and looking for vulnerable devices like medical devices whether it’s an insulin pump, or blood analyser, or pacemaker, or ventilator, and so on – these are more likely to present opportunities for threat actors to gain access to their networks.
“And then once they’re in there, they can harvest patient data. And also, of course, deploy ransomware since healthcare organisations already have historically been a preferred target for ransomware,” Paul shared.
There have been talks which paint scenarios of equipment like insulin pumps and pacemakers and so on, being hacked to not function as they are supposed to, and inevitably compromise the health of someone who is hooked onto or using such devices.
“But at the same time, it’s harder to make money off of that. From a more practical perspective, these devices are mostly useful just as a point of initial access, and also as a hideout, or a persistence mechanism (to remain in the network and environment).”
Paul shared about a real-life case where a certain medical machine was physically moved across different WiFi networks of a hospital. “The machine was compromised, so whenever they moved to a new network, they were letting the attackers into that (network) segment of the hospital.”
Has there ever been a case where no access to critical, life-saving data (due to ransomware attacks which encrypt data), led to loss of lives? To Paul’s knowledge there is one clearly documented case of a ransomware infection resulting in death of an infant, last September in Alabama, United States.
Hospital staff attributed the death to a ransomware attack which rendered them unable to monitor the baby’s vital signs and condition, and thus unable to take necessary action.
Fraudulence galore
Besides ransomware, identity theft is one method criminals really leverage their acquired data. Besides financial motivation, another motivation is starting to emerge as well.
Fraudulent vaccination credentials is one solution for people who do not want to take vaccinations but need the employment, access to public spaces, and freedom of movement that these passports can afford them.
For example, New York city recently put 9000 of its of its 300,000 employees on unpaid leave, because they haven’t met the vaccination requirement.
Paul commented, “And this is a very controversial issue for a whole host of reasons. But bottom line is there is a demand for fake vaccination credentials. And when people’s jobs are at stake, that’s significant enough to make the investment into fake vaccine credentials.”
There are a myriad of ways.
Credentials could be stolen by somebody who has access to a legitimate vaccine registry, or someone can generate authorised access to systems that can ‘forge’ something that looks authentic. There could be a malicious insider who could add names of un-vaccinated persons, to the vaccine registry
“There are so many ways it can be done. And we are starting to see a market for it,” Paul concluded while adding credentials in electronic form or paper-based forms, are prone to compromise.