7.07.2013

Threat of Hackers in Healthcare

When Captain Zap hacked AT&T, millions of Americans saved money on their long distance phone call bills. Captain Zap successfully penetrated the AT&T network and went on to be part of the hacking hall of fame. His case is famous because AT&T didn't even know about the hack until after the next set of bills went out. By then the damage was done and Cap Zap was nowhere to be found. He was eventually caught but it took 18 grueling months of FBI hard work.

The opposite of Cap Zap was KP, a black hat hacker from UK. Unlike Captain Zap, KP took action against those he didn't like. He increased their monthly bill and even got some of them black listed.

The problem I have with Captain Zap's incident is that not only did the companies that were affected by the hack discover the incident long after it had occurred but they paraded him as a bad maniac guy instead of asking him to help secure their networks. The movies and the media sketch hackers as bad people which further eliminates any chance of corporation between the government and the hackers. Because of the media the majority of the population holds a negative view about the Anonymous.

The truth is that the US government can achieve a huge edge on rival cyber attackers like China and Russia if only they make use of the likes of Anonymous by employing them on handsome wages.

Today we have ever-growing numbers of white hat hacker companies who specialize in providing security advice, analysis and identifying vulnerabilities. These companies should be used as much as possible to fill in the knowledge gap lack in the traditional server administrators.

The 40 million credit card robbery

The average loss in the cyber heist involves around $1.3 million dollars while the average amount lost in the physical world robbery involving a weapon is six to eight thousand dollars.

One of the largest bank heists in all US history happened in 1995. Miami based hacker Albert Gonzalez stole more than 170 credit cards, debit cards and ATM numbers. He made a fortune by selling these numbers to the criminal underworld.

Albert hacked his way into the corporate office networks of the major retailers by employing a simple hacking tactic known as a War Drive. The War Drive is a process in which a hacker drives around different areas scanning for open networks.

The sad part is that we still have the same problem today with thousands of wireless networks available without any security protection or any encryption. The reason Albert's heist is not a common knowledge is because it was suppressed by the victim companies and the financial institutions in order to maintain their reputation.

Citigroup's simple URL hack

In 2001 a group of hackers stole the details of more than 20,000 Citigroup customers. The loophole which allowed these hackers to crack the site database was the most senseless on Citigroup's part.

Apparently when the customer logged into the Citigroup's website, it used their account number as a query string variable in the URL. The whole site was designed to look at the query string variable and use it to display information. The hackers simply replaced the query string variable with different account numbers they had guessed and stole the information.

The healthcare industry faces the same risk because many companies still use social security numbers as their primary method of account authentication.

More than just info stealing

If you think hacking or cyber terrorism is only about information stealing, think again! In 2001 Vitek Boden attacked the computerized waste management system of Maroochy Shire Council in Australia. As a result of his hack, millions of pounds of raw sewage was spilled out into the local parks, main water systems and rivers. The stench was unbearable for residents for weeks and the cleanup costs were in hundreds of thousands of dollars.

In the US we have our power grid, nuclear plants and transportation systems online. The electric power is a common denominator among all major system and the power grid is controlled an automated system known as SCADA. A breach of this system alone presents a huge risk for the country.

The Pentagon conducted a classified cyber-attack exercise in 1997 to get a reality check on how we would be affected from such attacks and the results were extremely worrying to say to least. During the exercise, a majority of the US systems including the Department of Defense and the Pacific Fleets were compromised and left incompetent.

Healthcare as a hacking target

Traditionally the banking, military, government, technology and media industries have been the targets of black hat hackers. This led healthcare companies to believe that they for some reason are immune to such threats. Even if there was a PHI leak incident, it was mainly due to some kind of laptop or a hard drive type of device being compromised, lost or stolen and that's about to change. It will be a huge mistake to assume that threats in healthcare are only limited to physical devices.

Corporate cultures see prevention policies more as a nuisance than a risk aversion precaution largely because they are in the habit of judging everything by its sheer ROI. But the ROI on security is not always very clear as it comes in the form of diverted attacks that would have otherwise wreaked havoc. The return on the security investment is justified after the aversion of only a single disaster.

Health Exchange DOS attack

When preparing for the health exchange the United States Department of Human and Health services (HHS) underestimated their server traffic by a big margin. As a result when they opened up their doors to accept Qualified Health Plan applications from the insurers, their servers experienced a Denial of Service (DOS) attack.

This highlights a major lesson that sometimes you don't even need a hacker to bring your servers down since your own employees would do that for you through unintentional poor planning. One way to achieve a technological edge for companies lacking competitive IT is through tapping into the secure clouds and getting the remote services of the security and administrative companies. This will also bring the employment, physical data center and administrative costs down.

Bottom Line

Companies spend millions of dollars on security, firewalls and policy & procedures yet it only takes one person to connect to an open access point to steal it all away. IT departments need to ensure their system and network administrators hold proper knowledge and have courage to report any suspicious activities without the fear of losing their jobs.

The time to consult with ethical hackers and security companies is not after the attack has happened but before it happens!



0 comments:

Post a Comment