Information Technology and Ethics/Who commits cyber crimes?

From Wikibooks, open books for an open world
Jump to navigation Jump to search

Cyber Criminals[edit]

There are criminals who commit cyber crimes for different reasons. Some of them steal from companies and private citizens for financial gain, while others steal secrets from not only companies, but governments and private citizens. Some of the perpetrators aim to disrupt the infrastructure of the government or company. Hackers test the limits of information systems for the challenge of doing so. Some believe that hackers perform a service by exposing security risks. "Crackers" break into networks and systems to deface websites, crash computers or networks, or spread harmful programs and/or hateful messages.

Malicious insiders are employees or officers of a business, institution, or agency that carry out activities intended to cause harm to the organization. Malicious insiders are not always employees. They can be consultants and contractors that have special access to sensitive information. It is difficult to detect and/or stop malicious insiders. They are authorized to access the systems they abuse. Most systems are vulnerable to these malicious actors because they were designed to keep intruders out. Insiders know how the systems work and how to circumvent them. The organization may be able to take steps to reduce these attacks. Industrial spies steal trade secrets to gain competitive advantage. Hacktivists and cyber-terrorists attack systems in order to promote their ideologies and intimidate governments in order to achieve their goals.

Cyber Crime and the Healthcare System[edit]

In today’s “high-tech” world, both wireless and software-controlled technologies are commonplace throughout the medical world. From the bustling cities of Washington D.C. and Chicago, Illinois to the various small town “one-stoplight” places around this country, the advancement in medical technology has in some way shape or fashion affected all of us in many different ways. Even the normal “checkup” visit to the doctor brings us face-to-face with some form of software-controlled devices such as “surgical and anesthesia devices, ventilators, drug infusion pumps, patient monitors and external defibrillators” [1]. Most devices used in hospitals today are controlled via software and are either connected to the Internet via a hospital Intranet or have the capability to be connected via wireless technology.

And that is where one of the many problems arises——on the Internet. Most, if not everything, can be found, viewed, used, and exploited as long as it is connected to the Internet. As long as there is something of value out there in cyberspace, there will always be someone who tries to “hack” it, manipulate it or take it. Whether that is for the good of mankind or the selfishness of one, people will always try to use the internet to their advantage.

The healthcare industry is no stranger to cyber-crime. For the last ten years or so, most cyber-crimes against the healthcare system were for monetary reasons whether that be through extortion or by stealing someone’s identity.

Within the last few years there have been numerous security studies, conferences and demonstrations on the topic of cybersecurity vulnerabilities relating to “internet-connected implanted medical devices” [2], “hard-coded password vulnerabilities” [3] or “by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.” [4]

Implanted devices have been around for decades, but only in the last few years have these devices become virtually accessible. While they allow for doctors to collect valuable data, many of these devices were distributed without any type of encryption or defensive mechanisms in place. Unlike a regular electronic device that can be loaded with new firmware, medical devices are embedded inside the body and require surgery for “full” updates. One of the greatest constraints to adding additional security features is the very limited amount of battery power available.[2]

There have been some health-care security related events in the past few years.

Anthem Blue Cross[edit]

On February 4, 2015, Anthem, Inc. experienced a data breach where more than 37.5 million records were stolen by hackers. Anthem, Inc, is a US health insurance giant. In December of 2014, Anthem employees noticed suspicious database queries. At the end of January of 2015, investigators confirmed unauthorized data queries on the company’s servers. In total, almost 80 million Americans have had their personal information exposed to hackers. This information includes: full names, addresses, SSNs, birthdays, etc. The truth about the Anthem hack is that they failed to encrypt their files. [5]

Advocate Health Care[edit]

In July of 2013, there was a burglary from an office of Advocate Medical Group in Illinois which involved the theft of four unencrypted desktop computers. This burglary may have exposed information of about 4 million patients. [6] The information that may have been stolen on the Advocate computers involve names, addresses, date of births, SSN, etc. While the Advocate computers were password protected, they were not encrypted.

Community Health Systems[edit]

In July of 2014, Community Health Systems confirmed its computer network was the target of an external criminal cyber-attack in April and June 2014. The data taken includes names, addresses, birthdates, SSNs, etc. The intruder was able to bypass the company’s security measures and successfully copy and transfer some data existing on the company’s systems. [7]

References[edit]

  1. Pierson, R. and Finkle, J. (2013, June 13). “FDA urges protection of medical devices from cyber threats.” Reuters. Retrieved June 18, 2013 from http:// www.reuters.com
  2. a b Wadhwa, T. (2012, December 06). “Yes, You Can Hack A Pacemaker (And Other Medical Devices Too).” Forbes. Retrieved June 18, 2013 from http://www.forbes.com
  3. Alert (ICS-ALERT-13-164-01): Medical Devices Hard-Coded Passwords. (2013, June 13). In Industrial Control Systems Cyber Emergency Response Team. Retrieved June 18, 2013 from https://ics-cert.us-cert.gov
  4. FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks. (2013, June 13). In U.S. Food and Drug Administration. Retrieved June 18, 2013 from http://www.fda.gov
  5. Article in "Infosec Institute", "InfoSec Institute"
  6. Advocate Medical Breach: No Encryption?, "Data Breach Today"
  7. Data Breach Notification, "Community Health Systems""