Hacker Kevin Mitnick on the dangers of human factors for health data security
Legendary hacker Kevin Mitnick, who spent nearly three years as a fugitive from the FBI before being arrested in 1995, had some valuable advice for the healthcare chief information officers at the CHIME-HIMSS CIO Forum on Sunday.
Mitnick, who penetrated the networks of companies such as Sun Microsystems, Nokia and Motorola during the '80s and '90s and spent five years in prison, now works as a white-hat security consultant. With a series of amusing but sobering demonstrations, he showed just how easy it is for cybercriminals to take advantage of human error to create near-endless opportunities for data breaches.
Shrewd hackers don't have to be technology savants. They can make use of social engineering – manipulation, deception, trust-building – to trick unsuspecting users. And it's much "easier than executing a technical exploit," said Mitnick.
Just ask John Podesta, chair of the 2016 Hillary Clinton campaign, whose trove of emails was accessed thanks to a spear phishing attack and subsequently posted to Wikileaks. You're probably familiar with the rest of the story.
With a series of live demos, Mitnick showed how laughably easy it is to trick people into inserting trojan-infected USB drives into their computers and enable a remote hacker to gain access to operating systems and webcams. He also showed how unsuspecting employees can be duped into joining spoofed wireless networks, which enable large-scale credential harvesting; and how hackers can "weaponize" fake software updates to gain free reign over a system, undetected.
Back in his black-hat days, Mitnick was able to get hold of source code from Motorola simply by calling an 800 number and using some tech-jargony sweet talk to convince a security staffer there to transfer it to a separate server. That type of employee trust – that susceptibility to a well-played confidence game – can be just as dangerous as any brute force attack.
He said it was key for healthcare organizations to shore up their defenses by developing social engineering resistance training programs and performing penetration tests to discover which employees might be most likely to take the bait, helping build a "human firewall" by educating employees about the dangers of too much trust or too little vigilance.
Mitnick's keynote came just as a new survey was published on Feb. 19 by CHIME and KLAS, revealing findings that CHIME CEO Russell Branzell called "stark and concerning." Just 42 percent of the healthcare organizations polled have a vice president or C-level official in charge of cybersecurity, it found; only 62 percent discuss security at quarterly board meetings.
And only 16 percent of the providers surveyed (primarily large hospitals and integrated delivery networks) say they have "fully functional" security programs in place, according to CHIME.
Essential to the success of any such program is to focus as much on social engineering as much as technology protections, said Mitnick: "The human factor is the weakest link."
This article is part of our ongoing coverage of HIMSS17. Visit Destination HIMSS17 for previews, reporting live from the show floor and after the conference.