Healthcare organizations have good reason to adjust their threat assessments when updating their HIPAA Security risk analysis as required for HIPAA and meaningful use compliance. Based on a number of recent events, we know more about the capabilities and activities of nation states and terrorist groups in the cyber arena.
- The New York Times revealed leaks from Edward Snowden that the United States conducted 231 offensive cyber-operations in 2011 in the arena of spying, sabotage and war. A separate revelation described an extensive effort, code-named GENIE, under which U.S. computer specialists break into foreign networks so that they can be put under surreptitious U.S. control. The methods include placing sophisticated malware in computers, routers and firewalls. This operation is placing on the order of tens of thousands of foreign machines per year under U.S. control. The U.S. plans to vastly expand this number into the millions.
- Other major players include Russia and China. China was the subject of an expose by security firm Mandient which they released in February of this year. This 76 page report, with 153 pages of appendices, provides details of China’s cyber operations conducted by an elite unit the People’s Liberation Army. Mandient names this unit APT1, after “advanced persistent threat”. Mandient details the unit’s location in Shanghai, its network operations capabilities, a description of its methods, and an assessment of the scale of its world-wide operations. This report is based on a decade of observations. Mandient directly observed compromises of 141 organizations and the theft of hundreds of terabytes of data. Almost certainly this represents a small fraction of Chinese activity.
- Terrorists, perhaps with state support, have demonstrated the ability and willingness to destroy data. Reported by Reuters and others, in 2012, the Saudi Arabian national oil company Aramco, was a victim of a cyberattack that wiped the hard drives of 30,000 computers. A group called “Cutting Sword of Justice” claimed responsibility, blaming Saudi Arabia for “crimes and atrocities” in countries including Syria and Bahrain. An image of a burning American flag was placed on the hard drives of the erased computers.
The U.S. government is sounding the alarm. In its 2013 Global Threat Assessment, the U.S. Director of National Intelligence said that cyber-threats are the #1 threat category to the security of the country. The White House has launched multiple efforts to improve the cybersecurity of critical infrastructure.
Other sectors (energy, finance, defense, public utilities) are at much greater risk as evidenced by widespread reports of attacks against these sectors. But the risk to healthcare is still present, albeit at a lower level. Three possibilities to consider are:
- The most likely scenario is that your network will be compromised and come under the control of a foreign actor using an advanced persistent threat, APT. Probably there will be no operational impact. Many organizations would be unaware of the foreign intruder since these are highly skilled actors who operate with great stealth. Under multiple scenarios, foreign actors would maintain control of these systems for the purpose of deterrence of U.S. aggression. It is highly unlikely that China or Russia would cause large scale damage.
- Theft of intellectual property (which a major academic medical center might possess) is certainly another risk. We know that the Chinese are very active in taking intellectual property.
- The most worrisome scenario for operational impact is a smaller nation such as Iran or a terrorist group such as Al-Qaida who may wish to cause damage or kill people in retaliation for a U.S. action. However, it seems more likely that the energy, financial or public utility sectors would be the prime target as opposed to healthcare. So, until it happens for the first time we will rate this risk as very low.
