At the Cleveland CHIME LEAD Forum, held on Monday, Apr. 18, at the Ritz-Carlton Hotel in downtown Cleveland, and cosponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC corporate umbrella), Bryan P. Smith, supervisory special agent in the Cleveland Division of the Federal Bureau of Investigation, told CIOs and other healthcare leaders that the FBI is intent on partnering with the leaders of patient care organizations, providing them the information and resources to combat cybercrime. “We are hoping to get engagement ahead of time,” he said, urging patient care organization leaders to reach out to the federal agency for support, before they experience cyberattacks. “When you call us and say this is what happened, we’re not going to shut your network down and take away all your servers. We’re looking to partner with you. The old vision of the bureau and what it did isn’t necessarily true anymore,” he added for emphasis. “This is participatory cooperation, not old-style investigation.”
Those comments came towards the end of his presentation; at its outset, Smith walked his audience of healthcare IT leaders through a quick overview of the FBI’s role and functions, and then an overview of cybercriminal activities in the current environment in the United States and abroad. He noted that, while the FBI’s mission is focused on criminality and security, the agency, with 36,0000plus employees, and nearly 13,000 agents, has 64 offices in foreign embassies, because of the foreign-originating threats against U.S. domestic interests that have emerged in recent decades.
The FBI’s ongoing efforts to combat cybercrime arise out of the broader context of its key priorities, Smith noted. Those key priorities, as he outlined them for his audience, are: to protect the U.S. against terrorist attack; against foreign intelligence operations and espionage; and against cyber-based attacks and high-technology crimes; to combat public corruption at all levels; to protect civil rights; to combat transnational/national criminal organizations and enterprises; to combat major white-collar crime; and to combat significant violent crime.
To frame intellectually the emerging environment of cybercriminal attacks, Smith noted that the FBI it was established in 1908 as an agency of the executive branch of the federal government to combat organized crime, spurred forward by changing patterns of criminal activity over a century ago. Fundamentally, he noted, the adoption of the automobile had changed the face of organized crime, as bank robbers, for example, were able to rob banks in one state and flee quickly to another state, even a distant state. The FBI was created in order to tackle that explosion in interstate crime. Fast-forwarding the scenario to the present time, Smith noted, cyber-criminality has quickly gone global in the past several years, with organized crime syndicates and even national governments participating in cyberattacks on U.S. businesses. One spectacular situation he discussed was the government of North Korea’s campaign of attacks against Sony Pictures last year after Sony had released a comedic film that had ridiculed North Korean dictator Kim Jong Eun. In that case, he noted, “Sony called the L.A. office of the FBI, and we were out there within an hour and a half. And there was a sense of trust, because we worked together before.” And though the North Korean regime had managed to wipe out “nearly all of Sony’s servers,” FBI agents and professionals were able to help the media company recover technologically and move forward.
When it comes to cyber activity, Smith told his audience, the FBI has classified cyber-threats into six categories: hacktivism, crime, insider, espionage, terrorism, and warfare. And when it comes to cybercrime itself, Smith noted a statistic that might surprise some, and that is the level of unawareness of organizations that are victimized by cybercrime. In fact, 63 percent of time, he said, an organization victimized by cybercrime has been notified of an intrusion by an external entity, as opposed to individuals within that organization uncovering the intrusion themselves. The median length of time attackers have been present on a network before detection? A rather alarming 229 days, or seven months. The longest presence of an attacker on a network before detection? The agency has recorded a presence of 2,287 days, or seven years.
What are cybercriminals after? When it comes to the financial industry, Smith said, they are looking for credit and debit card information, banking information, home addresses, phone numbers, and PINs. When it comes to government data, they are looking for Social Security numbers, payroll and salary information, e-mail addresses, and work functions. And when it comes to healthcare, they’re looking for patient names, birthdates, blood types, health insurance policy numbers, billing information, and diagnosis codes. Disturbingly, he noted, cybercriminals are using valid credentials to infect information systems.
Payroll and expense spoofing is common now, Smith told his audience. A classic scenario, he said, is when the accounts payable department of an organization receives an e-mail that purports to be from the organization’s CEO, requesting that cash be wired for a travel expense. Another very common scenario these days is an e-mailed request, purportedly from a trusted source, asking for the W-2 records of the entire staff of a company.
When it comes to ransomware, Smith said, invasions typically occur when end-users in organizations receive an e-mail with an attachment that they are requested to click on, or directing individuals to click on a URL; the user who does do receives a pop-up message demanding payment via Bitcoin or MoneyPack, with the warning that failure to pay will result in the private key that has been used to lock down the system, will be destroyed. The very thing that makes it easy to prevent a malware intrusion end-user declining to click when asked to click—is also, paradoxically, the thing that makes it difficult to prevent the success of malware intrusions, he noted, because, of course, the messages leading to infections are designed to deceive end-users.
So what happens when organizations have been victimized? “How do we address the cyberthreat? We obviously look at FBI information; and we have a lot of sources, and intelligence,” Smith told his audience. “But as we look at the cyberthreat issue, we need to bring in the functional expertise” within the agency “to address things,” he said. Significantly, he noted, “We have a healthcare squad that works with healthcare organizations like yours all the time.”
When asked by Healthcare Informatics about news reports that have referenced statements attributed to the FBI that have urged the leaders of healthcare organizations, and all organizations, not to pay ransom in ransomware situations, Smith said, “That’s right: we really discourage organizations from paying ransoms. Doing so only encourages the cybercriminals. After Hollywood Presbyterian [Medical Center in Los Angeles] paid that ransom,” he said, referring to the widely publicized attack earlier this year that shut down that hospital’s electronic health record, “a whole slew of new ransomware attacks took place very shortly afterwards.”
Smith repeatedly stressed the term “engagement.” “We’re asking for more engagement with the private sector,” he told the CHIME LEAD Forum audience on Monday. “We want a conversation with you, not just when an incident happens, but ahead of time. We want to be out there speaking to your steering committees and your boards. We’ve got special squads and units focusing on industries. That means that we can investigate a situation, and we can look at the log and say, oh, OK, we know that group. And very often, it helps organizations to figure out that something has happened in another location.”