Internet of Things to 'enormously expand' kinds of cyberattacks hospitals suffer, economist says
When healthcare executives think of economics, their first thought no doubt is of money. But that’s not necessarily the right thought when it comes to the economics of cybersecurity, said Scott Borg, chief economist at the U.S. Cyber Consequences Unit.
The independent, nonprofit research institute investigates strategic and economic consequences of cyberattacks.
“An important thing to realize in economics is it’s not just about money, it is about choices – economics is about making the best decisions and creating the most value you can,” Borg explained. “In terms of cybersecurity, economics is about protecting your organization’s ability to create value. Cybersecurity executives need to understand how the systems that are protecting assets create value, and they have to know how much value they are creating.”
Chief information security officers and other executives responsible for security can’t just be protecting systems, they must also clearly understand what their organizations actually do, Borg added.
“They need to be thinking about what those systems are used for because the first step in the economics of cybersecurity is paying attention to what your hospital or clinic is actually doing,” he said. “And that is immediately illuminating if you do it right. Executives will immediately see that a lot of things they are protecting do not really deserve a lot of attention and are not things attackers are likely to go after. Meanwhile, they will also see that other systems are both totally important to their organization and are prime targets for the attackers of the near future.”
Thinking about where value is created within a healthcare organization can help cybersecurity executives start customizing security to fit their organizations, Borg explained.
“And that is becoming really critical because things like the Internet of Things and the new attention to industrial control systems are about to enormously expand the kinds of attacks that hospitals and clinics are going to suffer,” he said. “Cybersecurity executives need to start understanding all of these new attacks that are going to become possible, they need to know which ones they need to worry about. And an economics approach focused on value rather than money can provide a really good guide.”
Further, if healthcare cybersecurity executives understand how attackers can benefit from different types of attacks, they will quickly notice there are some things attackers are more likely to do because the benefits are going to be so great, even though the attackers might never have done them before, Borg stated.
“The Internet of Things is the big new worry, but healthcare executives need to think about why someone would want to attack these devices in a clinic or hospital,” he said. “One of the new reasons is that cyber-attackers are beginning to discover they can make more money in financial markets than they can by credit card fraud. And in cybersecurity that is a big new development, just as big as the Internet of Things.”
What this means, for example, is there are many financial opportunities for hackers, and one of them is to short a stock, Borg said.
“Hackers can attack an organization in order to bet in the financial markets that a given stock will go down after an attack and attack that entity in a really conspicuous way,” he explained. “And when the stock drops as the result of the attack, the attackers can invest in the stock as the stock falls. They then can multiply an investment by hundreds of times. There is so much money to be made that way. And that suddenly means some health systems will need to worry about things they did not need to worry about until now.”
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
IoT will be among the topics at the Privacy & Security Forum in Boston, Dec. 5-7, 2016.
⇒ Privacy & Security Forum Boston: What to expect
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet
⇒ Budgets grow but breaches continue without best practices
⇒ Think offshoring PHI is safe? You may not be if a business associate breaches