7 cyber threats worse than PHI breaches
This year was among the worst in cybersecurity across the healthcare sector.
On average, companies that got breached did not know it for 270 days and some had even been breached for seven years without knowing it, according to Richard Clarke, the former White House cybersecurity czar who served three presidents.
In his opening keynote at the Healthcare IT News Privacy and Security Forum on Tuesday in Boston, Clarke explained that two-thirds of those entities did not even discover the breach internally; it was pointed out to them, either by someone outside the organization or by the federal government.
[See also: Live updates from the Privacy and Security Forum in Boston.]
As bad as breaches are, however, there are other worse threats emerging that hospital CIOs, CISOs and IT departments should understand and prepare for. Clarke offered seven:
1. Ransomware. Calling this an epidemic, Clarke explained that he frequently receives calls from clients who have been subject to someone essentially seizing their data and demanding money to give it back.
2. DDoS. Distributed Denial of Services attacks, previously thought to be a minor problem, have reemerged with high profile attacks against American banks, Clarke said. "DDoS is now, again, a threat. It's something you can send down the wire to an entity and knock it offline."
3. Wiper attacks. "Think Sony or Saudi Aramco," Clarke said. Aramco had 30,000 end points, for instance, until one morning employees came in to work and found that all the software had been wiped out in a 7-minute attack. At Sony, in the days after the attack guards couldn't look up his name to check Clarke in because all the devices were wiped blank.
4. Intellectual property theft. IP theft is "probably the most damaging thing that happens," Clarke said. "If it's IP that's worth something and is online, it will be stolen."
5. Straight theft of money. One increasingly common trick is that hackers assume the identity of someone in the comptroller's office who sends out wire transfers for accounts payable. They then wire relatively small amounts, say $100,000, to an offshore account, transfer it to another account elsewhere and it's gone.
6. Data manipulation. Wall Street's greatest fear is not data being stolen but the potential for someone to manipulate the data so firms don't really know who owns what anymore. An example particular to healthcare? Hackers changing data about blood transfusions could be deadly.
7. Data destruction. Devices can be physically destroyed by code. Clarke took part in the Aurora experiment at the Department of Energy's lab in Idaho. "We hacked into a simulated power grid, took control, gave it the wrong commands through software and destroyed a large electric power generator," Clarke said, adding that this just one example, while many real world devices can be destroyed by software.
"You guys know it," Clarke explained. "Healthcare IT security: you have a bad reputation. When it gets down to healthcare there's always a little chuckle about how bad they are. We can't put that in a closet and pretend it's not true."
Related articles:
Richard Clarke's worst cybersecurity nightmare
The rise of ransomware, crafty hackers, and health data destruction