The Modern Hacker: Who They Are, Where They Live, & What They're After

The Modern Hacker: Who They Are, Where They Live, & What They're After

Hacking, the act of gaining unauthorized access to or otherwise compromising digital devices and networks, is an evolving and ongoing threat. When many of us imagine a hacker, we think of a lone mischievous teenager writing malicious code in a dark basement, but the modern reality is much more diverse and sophisticated.

The Cost of Hacking

Hacking is a billion-dollar growth business. According to Forbes, hackers stole $4 billion from victims in the first half of 2019 alone, making hacking incredibly tempting for individuals with few scruples. We discussed the most costly cyber attacks of 2019 in our blog post The 8 Most Expensive Cyberattacks of 2019.

Who is the Modern Hacker?

While there are still loners breaking into secure systems from their basements, hacking is becoming much more professional and organized.

State Sponsored Hacking

Modern hackers are state-sponsored actors; unlikely soldiers conscripted in wars between nations. Russia, in particular, has been accused of using state-sponsored hacking in many instances, including allegations that they interfered in America’s 2016 federal election. However, governments aren’t the only targets: state-sponsored hackers are increasingly targeting private businesses as well. Jeff Bezos, the CEO of Amazon and the owner of the Washington Post, was targeted by the Saudi Arabian government in 2018 in an attempt to influence how the newspaper covered the kingdom in an attempt to limit or prevent criticism and cast the country in a more flattering light.

And state-sponsored hacking may be on the rise. Only last July, the United States, Canada, and the United Kingdom announced that hackers associated with Russian intelligence had attempted to hack government systems in order to steal information related to COVID-19 vaccine development. That same month, the United Kingdom also accused Russia of interfering in their general elections.

Non-State Groups of Hackers

Hacking is becoming a team sport both within government and outside of it, with hundreds or even thousands of individual hackers banding together to pull off Distributed Denial of Service (DDoS) and other widespread attacks.

The most notable groups of non-government sponsored hackers are currently Anonymous, WikiLeaks, and LulzSec, who use their hacking skills for activism purposes.

The Tools of the Modern Hacker

More than Just Writing Code

While there is a technical aspect of hacking (such as creating malware or breaking into networks), psychology also plays a role in this illegal activity. Social engineering, where hackers use psychology to trick unsuspecting victims into complying with their requests, plays a vital role in many cybersecurity attacks. This use of psychology takes many forms, from using phishing to trick users into revealing their usernames, passwords, or other sensitive information or using spam to scare them into handing over money or sensitive information.

Malware for Sale

In the modern world, hackers don’t need technical skills to wreak havoc, just a connection to the dark web. Criminal enterprises are increasingly offering malware for sale, so non-technical hackers (known as “script kiddies”) can carry out devastating and sophisticated attacks. This business of selling malware saw one group of hackers to sell backdoor access to PCs for as little as $10. In addition to selling the program necessary to hack these computers, the sellers also offered tips for how hackers could avoid detection. These groups are rarely concerned with who they are selling their product to, or what the buyers intend to do with their newfound malware.

Where Does the Modern Hacker Live?

Though hackers come from around the world, it isn’t easy to track down this elusive group that works hard to stick to the shadows and cover their tracks. However, recent research suggests that the majority of the world’s hackers are from within the United States, followed by China and finally Russia.

What Are Hackers After?


Hackers are a diverse group, and as such, are motivated by a variety of factors.

Criminal Financial Gain

One of the most common goals of hacking is financial gain through illegal means. This category includes credit card credential theft as well as defrauding banks.

Corporate Secrets

Corporations are increasingly using hackers for corporate espionage. While some organizations rely on outside hackers to break into secure networks and steal corporate secrets and IP, these threats are increasingly originating from within organizations themselves.

National Secrets

Much like corporate espionage, governments are also turning to hackers to target other governments or private businesses, such as the Russian hack examples against the American, Canadian, and British governments mentioned above. Another famous example of governments using hackers to gain intelligence and sow chaos is Stutnex, which was developed jointly by the American and Israeli governments and used to wreak havoc on the Iranian nuclear facility Natanz.

The Rise of Hacktivism

Some hackers are socially or politically motivated. These hacker-activists (or hacktivists) use their skills to draw the public’s attention to social and political issues by shining an unflattering light on their targets, typically by making sensitive or damaging information public.

Fame

Some hackers are motivated by fame and the drive to gain the respect of their fellow hackers. In these cases, hackers often deface or otherwise leave identifying marks on the websites and systems they infiltrate as a way to show their skills off to other hackers.

Additional Reading

For more information about hacking, and what steps you can take to protect yourself and your business, please consider reading more of our blog posts, including:

Hackers Are Increasingly Targeting People Through Their Phones

Hackers Are Increasingly Targeting People Through Their Phones

We do so many things on our smartphones: We stay in touch with friends and colleagues, we do our banking, we look for work, and so much more. Unfortunately, while phones have made it easier than ever to go about our everyday lives, they also offer another way hackers can reach us by gaining access to our money and private files. While hacking may look different than it did when home computers first became commonplace, some old school tactics are still in use alongside the new and insidious approaches hackers use to gain unauthorized access to our devices. Even if you are pretty tech-savvy, you may be inadvertently exposing yourself to risk.

Hackers target our phones for a wide variety of reasons, but there are steps you can take to protect yourself. If you think you have been hacked, please read our blog post: Hacked? Here’s What to Know (& What to Do Next). To help safeguard your smartphone as well as any networks it connects to, you and your team should be reviewing your security practices regularly.

Why Hackers Target Phones

Blonde woman reading her phone while holding coffee
According to the Pew Research Center, 81% of Americans use smartphones. This ubiquity partnered with the fact that many shopping apps (particularly Android apps) contain high-level security vulnerabilities. Many apps also transmit unencrypted user data, making smartphones easy targets for hackers.

To Steal Your Money or Financial Information

Ransomware attacks aren’t limited to desktops and laptops. A ransomware attack could paralyze your phone, keep you from accessing critical files, and allow unauthorized users to access sensitive personal data. The basic anatomy of a ransomware attack involves hackers tricking users into downloading malicious software (malware), which they use to take control of the device and lock users out. The hacker then threatens to delete critical files or release private information unless the user agrees to pay the ransom. While some users may be tempted, paying the ransom doesn’t guarantee you will regain control of your device or your data.

In one case, a third-party Android app promised users it would optimize their system, but instead stole money from their PayPal accounts. This wasn’t technically a phishing attack, since the login process was legitimate, but once users logged in malware initiated the automatic PayPal transfer. Other hackers target victims’ wallets by tricking them into downloading fake mobile payment apps. Once victims have entered their payment information, the hacker can do things like empty your bank account or charge purchases to your credit card.

To Eavesdrop on Your Phone Calls

While phone calls may seem old fashioned to some people, the truth is we talk about a lot on the phone. Even if you don’t use your phone to stay in touch with loved ones or discuss sensitive business information with colleagues or clients, you may have to call your bank or the government to access services. During calls with your bank, you will likely discuss your banking details, and calls to the government will inevitably require answering verification questions and confirming your social security number.

There is currently a flaw (called SS7) in the US cellular exchange that allows hackers who know a target’s phone numbers to listen to calls, read text messages, and view user’s locations. Even though US agencies have known about this issue for some time, they have yet to take action to address it, leaving American’s phone privacy at risk.

To Blackmail You

Blackmail is nothing new, but the tiny computers we carry around in our pockets contain more personal information than our desktops and laptops do, making them tempting targets for hackers.

A typical blackmailing hack may go something like this: The hacker obtains some personal information on the victim that is already available on the black market, likely as a result of a previous, unrelated breach. They use this information to trick the victim’s phone company into believing they are the user and convince the company to transfer the victim’s number to a new phone owned by the hacker. When phone companies transfer numbers, they often transfer all the information on the old phone as well, which hackers can then use to blackmail their victims. In order to regain access to their personal files, victims may feel pressured to give in to the hacker’s demands or pay a ransom.

To Mine Cryptocurrency

Any computing device, including smartphones, can be hijacked by hackers and used to mine cryptocurrencies such as Bitcoin. This attack is referred to as cryptojacking. For more information on cryptojacking, and what steps you can take to safeguard yourself, please read our blog post Cryptojacking: Because Every Currency Needs to Be Protected.

To Gain Access to Your Company

Even if hackers target your phone, you may not be their primary target. A large percentage of office workers are currently working from home, which means many of us may be using our personal smartphones for business purposes. While working in a BYOD (bring your own device) exposes companies to risk providing work laptops and work smartphones for every employee may be cost-prohibitive. Fortunately, there are steps companies and workers can take to safeguard their devices and the company network. For more information, please read our blog post, Keeping Your Network Secure in a Bring Your Own Device World.

Just For Fun & Fame

While many hackers are motivated by financial gain, some hack others for entertainment or to gain fame in hacker circles.

Cybersecurity Steps You Can Take to Protect Yourself

Combination lock sitting on a cell phone

Stay Away From Third-Party App Stores

One of the easiest things you can do to protect yourself is to avoid third-party app stores; only download apps from trusted sources such as the Apple app store or the Android app store. However, hackers and other malicious actors have been able to penetrate these platforms as well, and some rogue apps have slipped through, so while this rule will reduce your odds of downloading a malicious app, it doesn’t completely eliminate risk.

Keep an Eye on Your Settings

Checking your phone’s settings can help you spot suspicious behavior. If your phone seems to be chewing through its battery more quickly than usual or appears to be running more apps than you currently have open, it may indicate a hacker has downloaded and is running a malicious app on your device without your knowledge.

Wait Before You Download

While you may be tempted to download that shiny new app as soon as it launches, waiting can help you ensure that new apps are free of serious security flaws. Waiting also gives developers a chance to issue patches to address any issues that do come to light.

When in Doubt, Don’t Click

Whether you are using your smartphone, desktop, or laptop, if you:

  • Encounter a suspicious site
  • Are sent a suspicious link
  • Stumble across a sketchy looking popup
  • Notice that there are apps on your phone you don’t remember downloading

You should stop using your phone until you can get some answers. If you think you may have been hacked, you should contact your MSSP right away for advice and next steps.

Leveraging Your MSSP in an "IT Light" Environment

Leveraging Your MSSP in an "IT Light" Environment

Not every organization can afford to support a full team of IT experts, but that doesn’t mean you can’t benefit from expert knowledge and advice. By leveraging your Managed Security Services Provider (MSSP), you can help keep your digital assets secure no matter how large or small your IT department is.

What Defines an IT Light Environment?

A company can be IT light in several ways: either light from a staffing perspective, light from a technology perspective, or both. Staffing IT light organizations have minimal internal IT staff, and may not even have a dedicated IT person on staff at all but may instead rely on one or more employees who split their time between IT tasks and their main job. This approach can be problematic as it often forces IT employees who wear several hats to focus on reacting to situations instead of addressing them proactively as the bulk of their attention must be allocated to non-IT tasks.
A technology IT light organization may have one or more dedicated IT personnel on staff, but may have small or limited IT needs or rely on IT solutions that are not sufficiently robust or comprehensive. This may be because their dedicated IT person is unsure of the best course of action or simply doesn’t know that there are better products and services available to meet your organization’s needs. Either type of IT light organization can benefit significantly from the expertise offered by an MSSP to both safeguard their digital assets and ensure their IT needs are met.

Leveraging Your MSSP


When most people think of MSSPs, their first thoughts turn to cybersecurity. While a robust cybersecurity posture is critical for any organization, a great MSSP can help supplement a skeleton crew of internal IT professionals or help you choose the right technology to suit your needs and fortify your IT infrastructure effectively. A great MSSP will help ensure your network remains secure and advise you on best IT practices to boost security and potentially even improve your network framework and performance.
A MSSP can help lessen the workload of your internal IT team and offer valuable advice. One of the biggest benefits of partnering with an MSSP is that you can access an entire team of IT and cybersecurity experts without having to hire and support a large internal team. Outsourcing your IT and cybersecurity means the cost to support that team is defrayed. Additionally, no one IT or cybersecurity expert can know everything, so relying on an entire team allows you to access more knowledge than even the most experienced internal IT or cybersecurity person can offer and doesn’t require you to hire, pay, and retain high-cost IT and cybersecurity employees.

Get a Heads Up on Potential Issues & Cybersecurity Attacks

MSSPs are also well connected, making them an excellent tool to have in your toolbox. They typically serve many customers and develop close relationships with vendors. As such, they are often able to spot potential issues before their clients can and formulate a plan to address potential problems before they can manifest. Their close relationship with vendors and expert cybersecurity and IT knowledge also mean they are often in the know regarding potential vulnerabilities and issues before the wider cybersecurity and IT community is, giving you a head start on fortifying your defenses against potential issues and attacks.

Focus on What You Do Best; Leave the Rest to Your MSSP


You aren’t in the IT business, so it doesn’t make financial sense to support a large internal IT or cybersecurity team. By outsourcing your IT and cybersecurity to the experts, you can focus on what you do best and leave the rest to your MSSP. MSSPs can be a strategic asset, identifying gaps and creating roadmaps as well as driving those roadmaps to completion. By relying on an MSSP to do the heavy cybersecurity and IT lifting (such as handling investigations, following up on alerts, and triaging problems), you can free up your staff to focus on your core business. Your MSSP will alert your internal IT or management team when necessary or simply provide notifications of problems that have arisen and already been dealt with.
The entire job of an MSSP is to handle cybersecurity and IT issues. A great MSSP has an entire team of experts working 24/7/365 to keep organizations like yours safe from malicious cyberattacks and disruptive IT issues. Since your MSSP handles all of the IT and cybersecurity staffing, you never need to worry about being left vulnerable by staff turnover or team members taking leave (such as maternity leave). You get seamless, 24/7/365 service at a fraction of the cost it would take to support an internal team of the same size and staffed by the same number of experts. A great MSSP also understands the unique considerations and requirements of your industry, whether you:

Ensuring your IT and cybersecurity needs are met is vital for supporting your daily operations and safeguarding your digital assets. If your organization isn’t large enough to justify supporting a large internal team of IT and cybersecurity experts, you may want to consider partnering with an MSSP. Your MSSP can handle the majority of your IT and cybersecurity tasks, consult with internal IT or management teams as necessary, and free up your staff to focus on your core business.

Cybersecurity Basics Every College & University Needs to Have in Place

Cybersecurity Basics Every College & University Needs to Have in Place

Institutions around the world rely on their networks to deliver courses, manage student schedules, tuition payments, and credentials, and handle the day to day activities of the entire institution.
According to a 2016 survey of nearly 20,000 companies, 13% of all post-secondary institutions have been targeted by ransomware attacks.

Unique Challenges College & University Institutions Face

User Education

Universities and colleges face a variety of unique networking and cybersecurity challenges, but one of the biggest barriers is in user education.
Faculty often work long hours, splitting their time between teaching students, conducting research, and writing papers, and students are typically focused on their studies and any paid work they need to take on to cover costs like tuition and living expenses. As such, cybersecurity training can often take a back seat.
To help ensure cybersecurity remains top of mind, institutions need to take steps to ensure both staff and students have training resources available and have the time they need to review these resources thoroughly. All staff and students should also know who they should contact if they encounter suspicious activities, and reporting potential threats should be as easy as possible.

Aging Network Infrastructure

Trying to keep an aging legacy network up to date with limited funds can make creating a seamlessly integrated solution difficult.
Unlike some businesses that might be able to roll out changes or adopt new technologies team by team, universities typically need to transfer all students, all teaching staff, or all non-teaching staff over all at once. Service disruptions are typically widely felt, particularly at a time when most learning is happening online.
As such, any changes will need to be considered carefully. By planning your network carefully and accounting for future growth, you can make it easier for your institution to upgrade and expand their network later on.

Unsecured Personal Devices

While some institutions may provide their teaching and non-teaching staff with laptops or phones, students are typically required to provide their own devices. Personal devices may not be secure, and each unsecured device is a potential entry point for malware or other cybersecurity attacks.
To help safeguard your network, even if some users bring their own devices, we suggest reviewing our blog post Keeping Your Network Secure in a “Bring Your Own Device” World.

Networking & Cybersecurity Basics

Cybersecurity Basics Every College & University Needs to Have in Place
The institution network is vital for creating a high-quality learning and teaching environment. A well planned, well-maintained network can make an institution stronger and better, while an out of date, poorly planned network could bring everything grinding to a halt. Cisco offers a comprehensive guide on setting up a new network on campus, but there are some other basic factors beyond configuration and design models that need to be considered:

Connectivity & Security

Network connectivity in the modern world is much more than access points spread out over a web of ethernet cables. Wi-Fi and cellular networks mean that people are more connected now than ever before and that connectivity expands beyond the offices and classrooms of your physical campus. Balancing the expectation and need for continuous connectivity with the need to keep your network secure is a design challenge that needs to be addressed.
You need to consider where data will be stored (physically on-site, physically off-site, or on the cloud), as well as what type of information should be accessible and who should be able to access it. You also need to consider the devices that will be accessing this information, from laptops to smartphones and ensure your servers are secure enough to protect that information without compromising connectivity and hindering operations.

Redundancy & Backups

Redundancy involves having backups for all mission-critical devices and data on your network, which is why even the smallest post-secondary institution should consider having at least two servers. Having two identical servers with identical configurations means that if one server is damaged or needs to be taken offline for maintenance, the entire network can be run off of the other server with minimal or even no disruption.
A good rule to follow is to have enough redundant parts, systems, and services in place that no part of the network will ever be down for more than an hour. If your organization hosts its own web servers, and absolutely cannot function without internet connectivity, then you should have a second connection in place. Having an extra switch, a backup router, and spare laptop on-site to troubleshoot any issues can help keep network disruptions to a minimum.

Standardizing Hardware & Software


Standardizing your hardware and software not only helps ensure the entire network runs smoothly, but can also reduce the amount of time and money spent on updates, repairs, and maintenance. Though you may not be able to standardize your entire network, you should consider conducting a full audit of your systems, software, and peripherals to determine which portions can be standardized.
Though certain executives or select departments may have special requirements if most of your staff can use the same make and model of laptop, the same word processing programs, and the same email programs, you can quickly and easily deploy hardware and software patches across your entire organization. This saves not only time, but also money as IT staff and other employees don’t need to waste time figuring out if the patch will work for them, finding alternative solutions, or troubleshooting machines that are patched incorrectly.

A Disaster Recovery Plan

Even if your post-secondary institution has a robust, up-to-date, and comprehensive cybersecurity plan, you need to plan for the worst. If you experience a cybersecurity incident, you need to have protocols in place to contain the threat, limit damage, and recover effectively.
Your plan needs to be comprehensive and cover all possible worst-case scenarios. This should include:

  • Provisions for backup power
  • What to do if the network or a server crashes
  • Determining how often data should be backed up, how it is backed up, and where those backups are stored.

As a general rule, important data should be backed up daily, and all data should be backed up at least once a week. All data should also be incrementally backed up on a daily basis so that any files that have been updated since the last weekly backup remain up to date. All backups should be securely stored off-site in case there is a building disaster such as a fire.
A comprehensive disaster recovery plan should cover not only a variety of potential scenarios (such as data breaches or ransomware attacks) but also be scalable so that you are prepared for building-wide disasters, department-wide disasters, institution-wide disasters, and municipality-wide disasters.

Planning for Future Growth

While it isn’t always possible to accurately anticipate how much your organization will grow, you should still make allowances for potential growth in your network design. When choosing a network configuration or server size, make sure the choice you make now can accommodate a reasonable level of growth in the future. You should conservatively factor in a growth rate of at least 20% per year, and include everything from switch ports to data backup systems in your plan.
Planning a network to suit your organization’s needs, both now and in the future, can be a daunting task. If you don’t have a qualified IT professional or team on staff, you may want to consider reaching out to an experienced third party for assistance.

The Challenge to Remain PCI & NIST Compliant During the Shift to Remote Work

The Challenge to Remain PCI & NIST Compliant During the Shift to Remote Work

Recent events have required many companies to redirect a significant amount of their labor force from an onsite setting to working from home. This sudden shift in company resources and personnel caught many businesses off-guard, requiring a chaotic scramble to reorient their necessary technologies and staff. However, the aftermath of that tumultuous period now leaves companies wondering where to begin on repairing their new or existing security and compliance policies.
To help you safeguard your organization’s digital assets, here are a few things you should consider as your workforce shifts to remote work.

Remote Work Brings Unique Cyber Threats

While your head office or other worksites may have robust safeguards in place, your employees may not be so well situated at home. Recent events have demonstrated the power of remote workforces, but these do not come without risks.
Shifting to remote work, particularly if the shift is sudden, can bring with it associated costs and infrastructure changes. However, organizations must work to ensure they remain both NIST and PCI compliant, even when planning and implementation time is short.

Remaining PCI Compliant


PCI (Payment Card Industry) compliance is mandated by credit card companies and consists of a set of rules that are designed to safeguard credit card transactions from a processor standpoint. A sudden shift to remote work can disrupt many established practices, so organizations need to be vigilant and ensure new work arrangements and processes remain compliant.
PCI DSS mandates several security requirements that are designed to protect remote workers and their environments. These include:

  • Requiring the use of multi-factor authentication by all remote network access users who are currently located outside the company’s network.
  • Enforcing strong password policies that prohibit the use of shared passwords. Workers should also be taught why safeguarding their passwords and other authentication credentials from unauthorized users are critical from a cybersecurity standpoint.
  • Requiring all systems used by remote staff to be kept up to date by downloading security patches as they are released, installing anti-malware protection software, and insisting on robust firewalls to defend the network from external, internet-based threats.
  • Having workers uninstall or disable any applications and software on their devices that are not required. This reduces the attack surface for both computers and laptops. However, this may not be possible if your organization relies on employees using their own devices (a BYOD policy) as opposed to company issued computers and laptops.
  • Implementing access controls so that only individuals who need to access the cardholder data environment (CDE), cardholder data, and related system components to do their job are able to access those resources.
  • Providing workers with secure, encrypted forms of communication (such as VPNs) to ensure that all transmissions to and from the remote device are protected. This is particularly vital for transmissions that contain sensitive information, such as cardholder data.
  • Configuring your network to automatically disconnect remote access sessions after a set period of inactivity. This helps prevent idle, open connections from being used by cybercriminals to gain unauthorized access to your organization’s network.
  • Ensuring you have an up to date incident response plan based on accurate contact data for key personnel. You should have procedures in place for detecting and responding to potential data breaches, and make sure these procedures are calibrated for remote work environments.

If you are unsure if your new remote work policy is PCI compliant, please review the PCI compliance guidelines carefully or reach out to your MSSP for guidance and assistance.

Remaining NIST Compliant


NIST (the National Institute of Standards and Technology) guidelines on ensuring compliance for remote workers are covered in their special publication: 800-46 (Revision 2) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. They also created a companion guide (User’s Guide to Telework and Bring Your Own Device (BYOD) Security), which should be carefully reviewed by all remote workers.
You, and your employees, should review both documents carefully to help ensure your organization remains compliant. For additional information, you should also review NIST’s blog post on telesecurity basics, which provides a few helpful tips for both remote workers and the organizations that employ them.
There are a few things you should do to help ensure compliance and better safeguard your network and other digital assets:

  • Management should review their current policies regarding remote work carefully. Make sure your employees are clear on what company resources they are and are not permitted to access from their personal devices. For example, reading work emails may be permitted, but accessing sensitive files may not be. Make sure all employees are aware of these rules and are able to comply with them.
  • Take steps at an organizational level to protect communications from eavesdroppers. If employees are using Wi-Fi at home, make sure they have the tools and knowledge they need to set up secure networks. Make sure employees are using WPA2 or WPA3 security.
  • Make sure employees are using hard to guess passwords (section 5.1.1.1 of the NIST password guidelines are a useful resource for setting organizational password standards).
  • Consider providing users with VPNs.
  • Take steps to improve endpoint security at an organizational level and encourage employees to take similar steps regarding their personal devices.
  • Require all remote workers (especially those using their own devices) to enable basic security features such as PINs, fingerprints, or facial ID features. These steps are crucial for safeguarding devices that are lost or stolen. Make sure all PINs and passwords are hard to guess.
  • Make sure employees keep their software up to date on both their computers and mobile devices. Most devices provide options that allow them to check for and install updates automatically.
  • Make sure employees know who to contact if they encounter anything suspicious (such as spam), and ensure that all contact information for key personnel is up to date. Make sure employees understand how to identify suspicious behavior, and are encouraged to report everything, no matter how insignificant it may seem. When it comes to cybersecurity, it’s always better to be safe than sorry.

The way many of us work has changed dramatically over the past few weeks, causing many organizations to rapidly pivot to remote work. Making sure your organization takes steps to ensure continued compliance with both PCI and NIST guidelines helps ensure sensitive data remains secure.
If you have any questions about these guidelines or are not sure how to adapt your current cybersecurity posture to accommodate remote work, please speak to your MSSP for advice and guidance.

The Ultimate Guide to Cybersecurity in the Healthcare Industry

The healthcare industry continues to lag behind on cybersecurity, even as it is increasingly targeted by cybercriminals.
Why is that, and what can you do to better protect your organization in 2020?

The True Cost of Healthcare Cybersecurity Breaches

When most of us think of organizations being hacked or breached, we think of sensitive data being leaked, causing profits to plummet, or vital documents being held hostage until a ransom is paid. However, when it comes to the healthcare industry, often the true cost of an attack is much more than just money.

The Cost to Patients

Ultimate Guide to Cybersecurity in the Healthcare Industry
The inability to access medical records, lost productivity as systems are down, and money paid to cybercriminals all have a real impact on the health and wellbeing of patients. One famous healthcare-focused cyberattack, the 2019 ransomware attack on the Grey’s Harbor Community Hospital and Harbor Medical Group, forced the hospital and the medical group’s clinics to revert to paper medical records and affect backups. Though most records were recovered, it still isn’t clear if some medical records were permanently lost.
A breach can also damage the relationship between the patient and their doctor, as many patients may avoid seeking medical help if they are worried cybercriminals or other unauthorized users may access their private medical information. These emotional consequences can seriously damage the health and wellbeing of patients and make it more difficult for doctors to rebuild patient trust and ensure their patients are getting the care they need.

The Cost to Medical Science

Depending on the nature of the breach, valuable research data and intellectual property may be damaged or lost, which can delay research into life-saving treatments. That sort of research is invaluable, and its loss can have devastating consequences for the health and wellbeing of potentially millions of people.

The Unique Challenges of Healthcare-Focused Cybersecurity

Research has shown that the healthcare industry is a prime target for medical information theft at least in part because it lags behind other industries in securing its vital data. So why does this industry, whose assets are crucial to human health and wellbeing, lag so far behind?
To begin with, so much of what hospitals do relies on the internet, from patient test results and medical records to the various machines and technologies used to provide patient care. While this interconnectedness is excellent for data integration, patient engagement, and clinical support it also means that a ransomware or other attack can spread quickly between vital systems, accessing patient data and other highly sensitive information, hijacking medical equipment to mine cryptocurrencies, or shutting down entire hospitals or hospital networks until a ransom is paid.

Not All Software Can be Patched

One of the unique challenges of healthcare is that there is a wide mix of equipment. While some equipment is cutting edge, many pieces of healthcare technology still in use were made by companies that are no longer in business or run on old software that has gaping security holes that can’t be patched. That means that even if vulnerabilities are known to exist (which isn’t always the case), there may not be a way to fix them.
The obvious answer would be to move away from outdated software and equipment with known vulnerabilities, but that is easier said than done. While a small or even medium-sized business could handle a temporary shutdown to migrate the entire network over, hospitals and other healthcare facilities don’t have that luxury: the entire system needs to be running 24/7/365.
Shutting down older equipment and transferring all of the data stored on the network can also be incredibly costly. The ability to patch and update software both extends the lifespan of current equipment and reduces costs.

Human Error Can Expose Patient Data

On the data privacy side of things, recent research from the JAMA found that most breaches in medical settings were triggered by unauthorized disclosures or employee error. When multiple shift doctors, nurses, and specialists need to be able to quickly and easily access sensitive employee data, it increases the odds of one person making a mistake that could leave this data vulnerable.

The Biggest Cybersecurity Threats to be Concerned About in 2020

Ultimate Guide to Cybersecurity in the Healthcare Industry
There are a few threats that healthcare providers should be particularly concerned about in 2020. If you are unsure what steps you can take to improve your organization’s cybersecurity posture, please speak to your MSSP (Managed Security Services Provider).

Ransomware

Ransomware was a huge problem in 2019, particularly for healthcare providers, and it is likely only going to get worse. Unlike some other businesses, healthcare providers aren’t able to pause operations to try and get their files unencrypted to avoid paying the ransom. And while some businesses can carry on even if they are unable to recover a few encrypted files, sometimes even a single unrecoverable file, such as a patient’s electronic file or test results, can have disastrous consequences for the health and wellbeing of patients.

Unsecured Medical Devices

Businesses in a variety of industries, including the healthcare industry, have enthusiastically adopted a wide variety of Internet of Things (IoT) devices. In fact, some reports speculate that from 2019 and 2024, we will see a combined annual growth rate of 27.6% for healthcare IoT devices.
However, in 2019 the FDA warned that a cybersecurity firm had identified 11 vulnerabilities that could allow hackers to control medical devices remotely. That report has likely prompted many healthcare providers to take a closer look at their current cybersecurity postures. Hopefully, that focus will continue in 2020 so that these and other vulnerabilities can be addressed.

Unsecured Electronic Health Records

Electronic health records have made it significantly easier for both healthcare professionals and facilities to access patient files, though this system does come with special cybersecurity considerations.
Though there are already privacy laws in place to safeguard sensitive patient data, these laws were mostly written with people in mind, not software. That means that many of these systems remain vulnerable to exploitation by cybercriminals, since the software that many of these systems run on or interface with may have been written in a time before the IoT. Depending on when the software was written, the company may not be around to issue software updates and patches, and even if they are, the software may not be compatible with many necessary cybersecurity updates.
Hopefully, findings like the FDA report mentioned above will encourage the companies that design electronic health record systems to evaluate their software critically so that it can be modified to better safeguard patient data.

How Can Healthcare Organizations Improve their Cybersecurity Posture?

Every organization is different and has slightly different cybersecurity needs. As such, the first thing any organization should do is sit down with their MSSP to identify their cybersecurity needs and create robust yet flexible cybersecurity protocols.
Organizations should also work with their healthcare-focused MSSPs to identify credible threats and create tailored response plans to address those threats. These response plans should be designed to minimize or even eliminate damage to critical systems and help safeguard both vital infrastructure and sensitive data.
To help you get started, please review our blog post Cyber Hygiene 101: Basic Steps to Keep Your Company Secure.