Cybercriminals Are Selling Admin Access To Patient Portals

Another day, another scheme to profit from the high prices commanded by healthcare data. This time, the industry is confronting a new wave of cybercrime in which intruders are selling access to patient portals.

According to a new report by IntSights, a global threat intelligence firm, an emerging group of cybercriminals is auctioning off master keys offering administrative access to portals. When a potential attacker gets master key access, it can be devastating for that provider, as it allows them not only to steal but also to alter or corrupt data.

This latest scourge is part of a larger environment in which for a number of reasons, healthcare data stands out as a target.

One key reason they are so attractive is that healthcare records are rich with information. Healthcare records include personally identifiable information such as Social Security Numbers, addresses and phone numbers. These details can be leveraged to take over accounts and create synthetic IDs, the report points out.

Another reason black-hat hackers find healthcare data to be attractive is that compared with that of other large industries, healthcare infrastructure is not as secure, due to problems that include the use of outdated operating systems which may not be adequately patched, according to IntSights chief security officer Etay Maor. (Of course, these vulnerabilities also expose medical devices to attacks, but that’s a discussion all of its own.)

And of course, as has been the case for a while, healthcare data is particularly valuable. As the report points out, while credit cards sell for $1 to $5, patient data can generate $50. That’s quite a differential.

Over time, healthcare data has seen the full gamut of cyber-intrusion attempts, most visibly by way of ransomware such as the devastating WannaCry attack in 2017. More recently, however, auctioning master keys for healthcare portals has become increasingly common, the IntSights report says.

These master keys, which offer access to all data related to the targeted facility, can generate a tidy profit. For example, in one instance shared by the report, a single master key for a healthcare portal was selling for $400. The key gave the buyer access to an administration panel containing various types of sensitive information, including both patient data and system users.

IntSights has stumbled across several other examples of master key auctions as well, such as one offering patient and doctor data for more than 20 clinics run by a Louisiana provider.

Of course, looked at one way there’s nothing that notable about cyberthieves finding a more efficient way to collect money for the assets they steal.  Healthcare is likely to remain a plump target for cyber-criminals for the foreseeable future, for all of the reasons listed above.

Still, there’s something troubling about the way in which master key auctions amp up the efficiency of their efforts. Making $400 or more a shot has to be quite an incentive for those who don’t care about breaking the law.

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.