At the Cleveland CHIME LEAD Forum, held on Monday, Apr. 18, at the Ritz-Carlton Hotel in downtown Cleveland, and cosponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC corporate umbrella), Bryan P. Smith, supervisory special agent in the Cleveland Division of the Federal Bureau of Investigation, told CIOs and other healthcare leaders that the FBI is intent on partnering with the leaders of patient care organizations, providing them the information and resources to combat cybercrime. “We are hoping to get engagement ahead of time,” he said, urging patient care organization leaders to reach out to the federal agency for support, before they experience cyberattacks. “When you call us and say this is what happened, we’re not going to shut your network down and take away all your servers. We’re looking to partner with you. The old vision of the bureau and what it did isn’t necessarily true anymore,” he added for emphasis. “This is participatory cooperation, not old-style investigation.”
Those comments came towards the end of his presentation; at its outset, Smith walked his audience of healthcare IT leaders through a quick overview of the FBI’s role and functions, and then an overview of cybercriminal activities in the current environment in the United States and abroad. He noted that, while the FBI’s mission is focused on criminality and security, the agency, with 36,0000plus employees, and nearly 13,000 agents, has 64 offices in foreign embassies, because of the foreign-originating threats against U.S. domestic interests that have emerged in recent decades.
The FBI’s ongoing efforts to combat cybercrime arise out of the broader context of its key priorities, Smith noted. Those key priorities, as he outlined them for his audience, are: to protect the U.S. against terrorist attack; against foreign intelligence operations and espionage; and against cyber-based attacks and high-technology crimes; to combat public corruption at all levels; to protect civil rights; to combat transnational/national criminal organizations and enterprises; to combat major white-collar crime; and to combat significant violent crime.
To frame intellectually the emerging environment of cybercriminal attacks, Smith noted that the FBI it was established in 1908 as an agency of the executive branch of the federal government to combat organized crime, spurred forward by changing patterns of criminal activity over a century ago. Fundamentally, he noted, the adoption of the automobile had changed the face of organized crime, as bank robbers, for example, were able to rob banks in one state and flee quickly to another state, even a distant state. The FBI was created in order to tackle that explosion in interstate crime. Fast-forwarding the scenario to the present time, Smith noted, cyber-criminality has quickly gone global in the past several years, with organized crime syndicates and even national governments participating in cyberattacks on U.S. businesses. One spectacular situation he discussed was the government of North Korea’s campaign of attacks against Sony Pictures last year after Sony had released a comedic film that had ridiculed North Korean dictator Kim Jong Eun. In that case, he noted, “Sony called the L.A. office of the FBI, and we were out there within an hour and a half. And there was a sense of trust, because we worked together before.” And though the North Korean regime had managed to wipe out “nearly all of Sony’s servers,” FBI agents and professionals were able to help the media company recover technologically and move forward.
When it comes to cyber activity, Smith told his audience, the FBI has classified cyber-threats into six categories: hacktivism, crime, insider, espionage, terrorism, and warfare. And when it comes to cybercrime itself, Smith noted a statistic that might surprise some, and that is the level of unawareness of organizations that are victimized by cybercrime. In fact, 63 percent of time, he said, an organization victimized by cybercrime has been notified of an intrusion by an external entity, as opposed to individuals within that organization uncovering the intrusion themselves. The median length of time attackers have been present on a network before detection? A rather alarming 229 days, or seven months. The longest presence of an attacker on a network before detection? The agency has recorded a presence of 2,287 days, or seven years.
What are cybercriminals after? When it comes to the financial industry, Smith said, they are looking for credit and debit card information, banking information, home addresses, phone numbers, and PINs. When it comes to government data, they are looking for Social Security numbers, payroll and salary information, e-mail addresses, and work functions. And when it comes to healthcare, they’re looking for patient names, birthdates, blood types, health insurance policy numbers, billing information, and diagnosis codes. Disturbingly, he noted, cybercriminals are using valid credentials to infect information systems.
Payroll and expense spoofing is common now, Smith told his audience. A classic scenario, he said, is when the accounts payable department of an organization receives an e-mail that purports to be from the organization’s CEO, requesting that cash be wired for a travel expense. Another very common scenario these days is an e-mailed request, purportedly from a trusted source, asking for the W-2 records of the entire staff of a company.