The rise of ransomware, crafty hackers and health data destruction

‘You’d have to be a pretty sick person to do something like that but unfortunately there are pretty sick people out there’
By Tom Sullivan
07:59 AM
Share
Hacker silhouette

It's no secret that many professionals tend to focus on what's right in front of them and healthcare as an industry is no exception. For hospital CIOs and CISOs that often means compliance, HIPAA regulations, security governance, safeguarding against accidental breaches and imminent threats – as opposed to the cybercriminals lurking in a shadowy and lucrative underworld.

But they're out there. And they're creeping into healthcare in sophisticated ways.

Take ransomware, for instance. "We're starting to see on a regular basis the use of ransomware where someone will get in and encrypt everything on the network then tell the owner of that network 'I will give you the keys for $100,000 sent to an offshore bank account,'" said Richard Clarke, the cybersecurity czar to three U.S. Presidents who is now a security consultant and author.

Clarke is slated to deliver the opening keynote at the HIMSS and Healthcare IT News Privacy and Security Forum in Boston in early December.

"Ransomware is increasingly common," Clarke continued. "Actual destruction where everything is wiped out on a network is not – yet."

[Learn more: Meet the speakers at the HIMSS and Healthcare IT News Privacy and Security Forum.] 

Not in healthcare, anyway. But Clarke pointed to the Stuxnet bug in Iran as evidence that malware capable of instructing equipment to destroy either itself or other machinery is emerging. In that case, Stuxnet fed erroneous instructions to centrifuges.

"We saw a similar outcome with Sony Pictures Entertainment where all data was removed from the networks so the company was essentially crippled," Clarke explained. "That could happen in healthcare. Just imagine what it would do to a hospital. You'd have to be a pretty sick person to do something like that but unfortunately there are pretty sick people out there."  

The attack on Sony, wherein hackers made off with medical information on some three-dozen employees, also spotlighted another intriguing possibility: Any company that offers its employees health benefits is susceptible to a medical records heist; it's not just HIPAA-covered entities anymore.

"It's certainly the case that hackers going after particular information will look for the easiest way to find that," Clarke said and pointed to another high-profile attack, that being Target. Hackers figured out that the systems running the chillers in the food department were connected and behind Target's firewall.

Could a crafty hacker emulate that tactic to worm inside a hospital?

"We haven't seen that happen yet, but we need to understand the possibility of things that have never happened before," Clarke said, "because history is full of things that have never happened before."

Clarke's keynote, titled Cybersecurity 2015: From Theft to Destruction, is scheduled for Tuesday Dec. 1 at 9:05 a.m. 

The Healthcare IT News Privacy and Security Forum runs from Dec. 1-Dec. 3 at the Westin Boston Waterfront. Register here.

Related articles: 

Q&A: Richard Clarke's worst security nightmare

3 tips to prep for a massive cyberattack

Best practices for password security