You can never prevent an attack, nor avoid one for that matter. If you are involved in the development or implementation of technology that exposes your products, solutions or related services to the Internet you can be sure that at some point in time you will get attacked by cyber-criminals that are lurking the web.
The attacker party or individual may be from a criminal organization in Russia or China or it may be a legitimate entity, go figure this one out. These two countries are the origin of most of the major attacks on the government and corporations in the United States, Europe and India, among many other nations. From these two aforementioned countries, most attacks are considered orchestrated by government agencies and corporations that may have political or financial interests. These type of attacks are considered cyberwarfare.
Sony Entertainment’s hack attack is considered to be a cyberwarfare one, although this is speculative since the motive for the attack does not match with: 1.) when the attack actually initiated and 2.) the duration the attack had been ongoing for. The motive was considered retaliation due to the release of the movie “The Interview”, but the attack had started over a year before the movie was announced.
Most of these type of attacks are embarrassments for the victim organizations. Typically, these are multi-billion dollar companies that failed to effectively protect their sensitive information and what’s even worse, they endured the attacks for very long periods of time while going unnoticed.
But, in many cases, the attacker may be a 15 year-old high school student from a typical US suburb who may have just recently picked up as a hobby, to mess around with, Moxie Marlinspike’s ethical hacking tools and products. This second type of attacker is usually the least sophisticated but the damage they can cause can be extensive. These hackers are typically called blackhat hackers or crackers. I jokingly call these “teenckers”.
Comodo Group, a certificate issuing authority suffered a teencker attack which they initially claimed was a “state-driven attack” from Iran. Believe it or not, even the organizations that we entrust to protect us can easily become victims themselves.
These type of attacks are even worse than embarrassing. Having a teencker hack what someone sells as a promise of trust is not only embarrassing but it is downright humiliating.
But what’s going on in healthcare is not a joke. The biggest health insurers, three notoriously known in 2015, are being hacked and what’s really concerning about this is that these organizations have been under siege for several years and only recently, and accidentally, have they discovered it.
What these health insurer companies fail to understand is that they are likely to be under a true “state-driven” attack. These attacks are probably the truest form of cyberwarfare that can exist. While the immediate reaction is to provide credit monitoring protection to the real victims in a situation like this, the problem we are dealing with is much greater than identity theft for financial fraud purposes.
CIA and FBI, start taking notes.
The amount of clinical and medical data that the hackers have been able to obtain are indeed espionage in its rawest and evillest form. If an “enemy state” has access to this BIG data then we are facing a serious situation as a nation. It’s a national security issue.
It’s one matter to receive speculative information about a supposedly unhealthy and obese nation from an enquirer type of magazine, and a very different one to scientifically have a clear understanding of the health status of the population at an individual and collective level in a specific region. This is where BIG data becomes bad.
We have an issue. The lack of proper policies and procedures to protect PHI, and the lack of proper monitoring of where the PHI is stored and transported, have led to situations like these. These organizations weren’t attacked the day before they announced it but in some cases, several years prior.
But even if you have a slew of policies and procedures and you have all the monitoring technologies in place but you don’t create trustful accountabilities and responsibilities throughout your organizational layers, and you fall victim to a hack attack and you will end up in an “Ashley Madison affair” type of situation.
PHI protection starts from a solid architectural technological and organizational foundation, segregation of duties, and trust relationships throughout the organization.
Those that rely on technology alone to protect PHI are, well, foolish.