The Bangkok Post is reporting that almost 39 million health records were reportedly stolen from Bangkok Siriraj Hospital and are being offered on the dark web for sale. A poster on Raidforums.com that goes under the name of “WraithMax” offered to sell the data and supply a sample file via Telegram. The poster claims the data includes names, addresses, Thai IDs, phone numbers, gender details, dates of birth and other information. Excerpts:
“There was a large data leak concerning Siriraj’s patient records that has been offered for sale,” Dr Sutee Tuvirat, an information systems security professional, told the Bangkok Post.
The data is not only from Siriraj Hospital but also from nearby Siriraj Piyamaharajkarun Hospital, which has records of VIP patients, he said.
Most local hospitals still had no cybersecurity teams or chief information security officers who could monitor threats.
“Even some department stores which invested in cybersecurity have been hacked, but hospitals which keep a great deal of sensitive data still do not make investment in this area a priority,” Dr Sutee said.
<p>No one chooses a hospital based on an assumption that they practice good IT security hygiene; people choose a hospital based on the doctors, the services, and the latest technologies they’ve employed to diagnose or assist in the fight for good health. Even in an era where there are exploding cyber-attacks including ransomware, hospital budgets are constrained and constantly under scrutiny and IT costs (including security) are often held to a bare minimum. Sadly, the general public suffers from blind faith that all healthcare providers (and this includes hospitals and doctor/patient facilities) adhere to the latest IT security best practices.</p>
<p>Generally speaking, while hospitals employ IT security controls, their efficacy may be questioned as the threat environment continuously evolves and readiness of the staff may be questionable as they may not be skilled and armed in dealing timely with the latest threats and exploits. Additionally, when it comes to hospital’s budget, emphasis is placed on the purchase and maintenance of the latest medical tools, techniques, and service offerings – items that are tangible to the patient; not tools to combat IT and cyber threats.</p>
<p>Perhaps with the increasing escalation of ransomware costs and lawsuits, issues with data and service availability, and other cyber-related issues, hospital executives are opening their collective eyelids to see the extensive damage such cases can bring to their institution’s reputation and are allocating the needed or required resources.</p>
<p>Unfortunately, hospitals will continue to be prime targets for data breaches because of the value of sensitive health information in the black market in comparison to other sensitive information, like payment information. Often compromised PHI (Protected Health Information) also comes with PII (Personally Identifiable Information). Thus, unlike a payment breach where I can call my credit card issuer to freeze all new transactions, and request to replace my card immediately, the same is not possible with a PHI breach. When sensitive health information like a terminal medical condition or incurable disease is breached, there is not much I can freeze or change.</p>
<p>The other concern with PHI breaches is if the threat actor, while on the hospital\’s network, tampered with the integrity of medical records. This can lead to incorrect treatment, with fatal and potentially irreversible losses to patients.</p>
<p>We know from security research we have done that a personal medical record is worth 1000x more than a valid credit card number on the dark web. Therefore, networks which store such records are a very juicy target for cyber criminals. It is imperative that medical institutions invest in security defenses, particularly as medical records are being mandated to be available to patients via APIs and protect those endpoints with state of art threat protection solutions.</p>