I know I blog a lot about cyber threats and breaches, but there is good reason for that. This year was one of the worst years so far when it comes to cyber threats and breaches across the healthcare sector.
On average, practices that got breached did not know it for 270 days and some had even been breached for seven years without knowing it, according to Richard Clarke, the former White House cybersecurity czar who served three presidents.
In his opening keynote at the Healthcare IT News Privacy and Security Forum on Tuesday in Boston, Clarke explained that two-thirds of those entities did not even discover the breach internally; it was pointed out to them, either by someone outside the organization or by the federal government.
As bad as breaches are, however, there are other worse threats emerging that hospital CIOs, CISOs and IT departments should understand and prepare for. Clarke offered seven:
1. Ransomware. Calling this an epidemic, Clarke explained that he frequently receives calls from clients who have been subject to someone essentially seizing their data and demanding money to give it back.
2. DDoS. Distributed Denial of Services attacks, previously thought to be a minor problem, have reemerged with high profile attacks against American banks, Clarke said. “DDoS is now, again, a threat. It’s something you can send down the wire to an entity and knock it offline.”
3. Wiper attacks. “Think Sony or Saudi Aramco,” Clarke said. Aramco had 30,000 end points, for instance, until one morning employees came in to work and found that all the software had been wiped out in a 7-minute attack. At Sony, in the days after the attack guards couldn’t look up his name to check Clarke in because all the devices were wiped blank.
4. Intellectual property theft. IP theft is “probably the most damaging thing that happens,” Clarke said. “If it’s IP that’s worth something and is online, it will be stolen.”
5. Straight theft of money. One increasingly common trick is that hackers assume the identity of someone in the comptroller’s office who sends out wire transfers for accounts payable. They then wire relatively small amounts, say $100,000, to an offshore account, transfer it to another account elsewhere and it’s gone.
6. Data manipulation. Wall Street’s greatest fear is not data being stolen but the potential for someone to manipulate the data so firms don’t really know who owns what anymore. An example particular to healthcare? Hackers changing data about blood transfusions could be deadly.
7. Data destruction. Devices can be physically destroyed by code. Clarke took part in the Aurora experiment at the Department of Energy’s lab in Idaho. “We hacked into a simulated power grid, took control, gave it the wrong commands through software and destroyed a large electric power generator,” Clarke said, adding that this just one example, while many real world devices can be destroyed by software.
Healthcare has a bad reputation when it comes to cyber security. A recent article in PC World explains how the healthcare sector is at least 10 years behind the financial sector. We need to take this seriously, and invest into our networks to protect ePHI.
Note: parts of this article are reprinted from and article by Tom Sullivan in Healthcare IT News.
