- September 6, 2022
- Health Care Podcasts, Patient Experience, Uncategorized
In this first of three articles, Healthcare Transformers sits with former FBI undercover operative and author of Gray Day: My Undercover Mission to Expose America’s First Cyber Spy, Eric O’Neill to discuss cybersecurity and data privacy in healthcare.
Top of mind for all healthcare executives is data privacy and security, particularly since COVID-19. The thought that the most intimate details of our health and personal lives could be stolen and sold to the highest bidder is terrifying.
We all need to be talking about cybersecurity because it impacts all of us. Eric shares his fascinating story of how he became a thought leader in cybersecurity and his unique insights as he talks to us about his experience in the data privacy and security space within the FBI and beyond.
Click here to watch Eric O’Neill’s full interview on FBI data privacy and security secrets revealed and what healthcare leaders can learn.
The origins of data privacy and cybersecurity
HT: You recently published your book entitled Gray Day: My Undercover Mission to Expose America’s First Cyber Spy. How would you describe your experiences working with the FBI and how has it helped you to develop your career into what it is today, being an expert on data privacy and cybersecurity?
Eric O’Neill: I worked undercover for the FBI for over five years as an undercover counterterrorism and counterintelligence operative mostly around the Washington, D.C. area. My squad protected everything from Baltimore, Maryland to Richmond, Virginia. We were tasked to follow and investigate foreign nationals or American citizens who were suspected of terrorism or espionage against the United States. The fundamental idea behind counterintelligence is “how do we catch spies?” More specifically, “how do we counter the intelligence goals of foreign intelligence units that are trying to steal information from the United States?”
At the very end of my career, I was recruited to an undercover investigation that had been put together in less than a month to catch the most damaging spy in U.S. history, a veteran FBI agent named Robert Philip Hanssen. Robert Hanssen had been an FBI agent for almost 25 years and was about to retire with his full pension. As it turns out, he was actually a top spy for the Soviet Union and then Russia for 22 of the 25 years he was an FBI agent.
At the very end of his career, a foreign source gave us information that pointed to Hanssen. To catch him red-handed, in 2000 we built a brand new division in FBI headquarters for the sole purpose of trapping him and called it the information assurance section, what we now call cybersecurity. We essentially took the most devastating spy in U.S. history, and put him in charge of building cybersecurity for the FBI to 1) prevent him from retiring and come back to take a job that he felt was truly within his bailiwick and 2) put him in the position to have access to information that he could steal and then hopefully attempt to share with the Russians to continue his espionage career. We could then catch him in the act of espionage.
Hanssen’s law: The spy is always in the worst possible place
Eric O’Neill: We had to catch him red-handed because we only had circumstantial evidence. Robert Hanssen wasn’t just the most damaging spy in U.S. history, he was also our first cyber spy. He was able to steal information from computer systems within the FBI and the entire intelligence community.
The FBI initially thought that the spy was in the CIA, that’s how good he was. For over two decades, he dropped some of the most egregious secrets to a foreign intelligence unit at the Soviet Union, later Russia, including nuclear weapons secrets, undercover operations, and the names of our spies in the Soviet Union who were flown back to Moscow and killed or imprisoned, undercover operatives whose covers were blown and so much more.
On the first day of my investigation, he told me words that I’ve never forgotten and were the beginning of everything that I have developed as a thought leader in cybersecurity. He said, “Eric, the spy is always in the worst possible place.”
Here we are in the middle of FBI cybersecurity, the worst possible place. Is he trying to tell me that he’s the spy? Is he challenging me? Is he just trying to throw me off? I didn’t know at that time, but I kept a poker face. I looked right back at him and I said, “What do you mean by that? I don’t remember learning that at the FBI Academy in Quantico.” He shook his head and said, “They don’t teach it there, they should. If they did, we’d be better at what we do. But here’s what you need to know, this law, what I call Hanssen’s law, the spy is always in the worst possible place, and if you want to be a talented counterintelligence agent, this is all you need to know.”
He explained, “The spy is that person that has access to critical information and the knowledge and wherewithal to get that information into the hands of those who will use it to do the most damage and pay that person the most money, and that is who we are hunting.” He was completely correct. The spy is always in the worst possible place.
Modern world cyber threats and cyberattackers
Eric O’Neill: In the modern world of cyberattacks, it could be an extortion attack, a ransomware attack, selling private data on the dark web, or posting private data online that can ultimately destroy your reputation. Hanssen was correct and I’ve taken what I learned from him and developed it into my theories in cybersecurity — there are no hackers, only spies, and many of them working together. To elevate our thinking, we need to understand that we’re not going after a single hacker in a basement wearing a black hoodie, and typing on a keyboard, and hitting one key and saying, “I’m in.” It’s never just one person.
The modern cyber attackers, spies, and criminals are sophisticated, well-funded groups, and they are targeting a single individual using traditional spy methods to fool that person into doing something that they otherwise would not do. It is why spear phishing, for example, is still the most prevalent cyber attack. Spear phishing is where you receive an email that looks like it’s from someone you trust, but it’s not. It’s from an attacker. Getting someone to click a link or open-ended attachment that they should know they shouldn’t do, but they do anyway.
When I say there are no hackers, there are only spies, what I’m saying is that hacking is nothing more than the necessary evolution of espionage. We have to hunt threats before they hunt us because the spies are coming after that data that is now the currency of our lives.
The natural evolution of espionage
HT: Do you feel hacking is a natural evolution of espionage because everything is now online, computer-based?
Eric O’Neill: Certainly. If you look at Hanssen’s law where the spy is always in the worst possible place, that made a lot of sense in the old Cloak & Dagger version of spy versus spy. The old method of sharing, transmitting, and collaborating, was on paper which went into files and then file cabinets. But now we’ve computerized. Everything is data and is collaborated and communicated from within computer systems. We’re highly networked. In the last year and a half of the pandemic, most of our collaboration has been done over computer systems with incredible bandwidth that allows us to communicate around the world at the speed of thought.
Hanssen’s old law, “The spy is in the worst possible place,” had to be updated. I took that old law and over years of thinking, and in writing my book Gray Day, I updated it into what I call O’Neill’s law –“Hacking is a necessary evolution of espionage. There are no hackers, there are only spies. We must hunt the threat before the threat hunts us, because the spy is always in the worst possible place.” If you apply that law to the discipline of cybersecurity, then you can catch those spies and elevate your thinking to pursuing attackers who are cyber attackers, cyber-spies, or cyber-terrorists, but aren’t hackers.
The hackers were all the people in the ’80s, who, like me, were interested in cybersecurity and how to breach cybersecurity as a way of making it stronger. They’re all working for cybersecurity companies right now. The modern cyber attackers are spies and criminals who are leveraging traditional espionage tactics in a modern environment.
How healthcare cyberattacks compare to other industries
HT: While we’ve seen cybersecurity cases in banking and other industries where personal data can be exploited and cause serious damages, why is cybersecurity especially critical in healthcare, and what types of data are most valuable to cybercriminals and why?
Eric O’Neill: Healthcare data is a holy grail for attackers because it has many of the same or similar personal identifiable information (PII) that financial and many other verticals hold. You provide your healthcare provider critical information and PII including insurance details, your given name, email address, and phone number. When you are going to a medical appointment, sometimes you have to provide a copy of your driver’s license. In some instances, insurance still uses your social security number and birth date for authentication.
The dark web has an online database of information that you can’t get to unless you know exactly where to go and you’re using a particular web browser to hunt there. There are criminals, law enforcement, and all sorts of people using this technology, but you can buy and sell virtually anything. The dark web is somewhat of a new pirate island, the criminal marketplace where medical records sell for anywhere from $1 to $1000 and are second only to passports in value. Medical web records are something that buys and sell very well on this evil marketplace and can be very lucrative.
This information can lead to everything from identity theft, or further information about a person to launch another breach. You can learn details about a person, their social security number, and their birth date, and then you can target that person in order to attack them or that person’s company.
Things to know as a healthcare provider
Eric O’Neill: Modern Cybercriminals often steal sensitive information and then extort companies. As a healthcare provider, that information could be stolen from your enterprise, and then the attacker can come back and say, “We’ve got this big database of your information and if you don’t pay us this money, we’re going to release it online, and it’s going to cause massive reputational damage.”
When you think about this in a different way, it’s easy to see how this information could be stolen and then used for identity theft or extortion, but medical data has also been used in a targeted way by spies.
You may remember in 2014, during the Sochi Winter Olympics, the Russians were embarrassed after a state-sponsored subversion of the drug testing process was discovered. For the next Olympics in 2018, Russia was told that it couldn’t fly their flag and its Olympic athletes had to independently compete. In retaliation, during the 2018 Olympics, seven officers of the Russian Main Intelligence Directorate (GRU), the military arm of Russia’s spy agency, cyber-attacked anti-doping organizations. The officers stole medical records of prominent international athletes, altered them to falsely show that the athletes had tested positive for illegal substances, and then fed those same medical reports through their fake social media accounts to credible social media sources, which eventually got to mainstream media.
In October 2018, the U.S. Department of Justice charged and indicted seven Russian GRU cyberspies.
Additional cyber-risks in healthcare
Eric O’Neill: Healthcare data can be used by spies to spread disinformation, a major issue that happened in 2018. To demonstrate the need to build better security against malware, researchers from Israel announced last year that they’d created a computer virus capable of adding tumors into CT and MRI scans that would misinform doctors who then would misdiagnose high-profile patients. If researchers and security companies can do this, the bad guys certainly can as well.
During COVID, hacking patients’ medical devices became very common as more patients turned to remote care. They’re not in the hospital where they’re better protected. Temporary and makeshift medical facilities that are being used to care for people that are infected with coronavirus have also created additional vulnerabilities for hackers to exploit.
Attackers also target the healthcare industry to steal records that are used to launch cyberattacks against other industries. Spear phishing is the number one vector for successful cyberattacks. You click on the link or attachment in the email which then loads the malware into your system and now the attacker has a way in. COVID-19 phishing exploded in 2020 and 2021.
The pandemic brings on heightened fear and pressure, meaning we need to be on higher alert
Eric O’Neill: During the pandemic, a large number of phishing scams falsely appeared to originate from organizations such as the World Health Organization (WHO), and the Centers for Disease Control (CDC). Phishing emails purportedly from these agencies might say, “Click here and register to get in line for your vaccine or for your antibody test,” or “Click here and register to get on a list to be one of the first to receive the vaccine for COVID-19 when it comes out.”
People who feared the virus were more likely to click on these false links. During pressure situations, the public is less likely to question the validity of an email prior to clicking a link or opening an attachment. People do things that they wouldn’t ordinarily do out of fear. In addition, already overburdened healthcare IT and cybersecurity teams have larger workloads to address these new threats. This increases the potential for successful cyber attacks.
Healthcare data is incredibly valuable, but the healthcare industry, especially during a medical pandemic, can be used to launch cyberattacks against other industries. Criminals are clever, and spies are even more so. In other words, the healthcare industry has been a major vector, not only of attack but using data mined about patients to attack others.
We haven’t even discussed ransomware yet!
Cyberattack statistics don’t lie
Eric O’Neill: One in four people click on email links or open attachments that they know they shouldn’t, no matter the training they get, or how careful they are. While most of these phishing attacks are garbage that you see constantly in your email or are filtered out through junk mail, many are incredibly clever. The best attackers and cyber criminals are learning from the spies who are masters at researching the individual they want to attack. Like I’ve said, there are no hackers, there are only spies.
Clever attackers will leverage information you’ve volunteered on social media, personal information they have learned about you, and issues that interest or worry you in order to send a targeted attack. TWhen you see the email, and it comes from a trusted source, or you believe it’s a trusted source, or it’s something you’re very interested in or worried about, there’s more pressure to click. The right thing to do is always just to delete the email and go directly to the source using your web browser and typing it in, not actually clicking those links or opening the attachments. I ignore emails unless I’m 100% positive I can trust the sender and contents of the email.
Especially in a pandemic, when we’re in a pressure situation, you could be encouraged to click a link or open an attachment that leads to a cyber attack. If statistically, one in four people are clicking on malicious emails, then it makes it much harder to stop, particularly when spies are getting into the mix and they’re sending targeted approaches that trick the best of us.
A hospital cyberattack in Texas
Eric O’Neill: There are many cases where employees like Hanssen went rogue. I keep a rogue’s gallery of spies, traitors, hackers, and cyberattackers, a number of which are from within the medical industry. In 2011 there was a case about a man named Jesse McGraw, also known as, GhostExodus, leader of the Electronik Tribulation Army.
He called himself a top cyberattacker and was caught by the FBI because he wasn’t particularly brilliant at this. While he was doing a YouTube video of himself installing the malware directly into a hospital computer, he showed off a collection of infiltration gear that he had put together such as lock-picks, a cell phone jammer, and fake FBI credentials. McGraw was able to install his malicious software on multiple computers, including a nurse’s station that had access to medical records that he could steal directly.
The video also showed a back door into the HVAC unit which could change the temperature in the storage facility for climate-controlled drugs and potentially harm patients.
It turned out that he was the night security guard at the Texas hospital that was compromised. What he was doing as a trusted insider was not just stealing from that hospital but using the hospital to launch cyberattacks against other organizations.
McGraw was caught before his hospital was compromised or used to launch attacks against other organizations. But had his narcissism not led to his arrest, the reputational damage to the hospital could have been catastrophic. You must be aware of that trusted insider, not just the external cyberattacks, but the ones that can come from within.
Trusted insiders often suffer from similar narcissism. They desire to demonstrate their brilliance to others, and McGraw couldn’t resist bragging in a YouTube video about how he did it. Of course, the FBI was able to use their own investigative techniques to find out who was posting and arrested him.
EN 
AR 
