Managing the threats of cybercrime

Cases of cybercrime are growing every year, demonstrating a threat scenario not just in the private area, for banks or companies, but also for insurance companies, because criminals steal data and whole databanks with private information. At this years’ HIMSS, Stephen Cobb, Senior Security Researcher at ESET North America, speaks about the growing risk and the need to manage such health IT security risks.

Report: Marcel Rasch

What threats are we facing?

If criminals break into the hospitals’ network and steal data from there the hospital is responsible, even if it has outsourced its data processing

Stephen Cobb

“Companies and consumers need to know that there is a thriving global black market in personal information”, Cobb points out and specifies: “This includes everything from basic data like name and email address to data like the Social Security Number, date of birth, account passwords, and of course, medical records.” Criminals steal this data wherever they can. That includes trying to take these data from healthcare organizations that often have large databases of personal information. Criminals who steal personal information can sell it on the black market to other criminals who have figured out ways to monetize it. “They do this through a wide range of fraudulent schemes, many of which involve some sort of identity theft. The result can be anything from your income tax refund being delayed to someone getting medical services in your name”, Cobb states.

The risks are many and varied, but Stephen Cobb sees four main categories:

  • There are the risks that have monetary impact, like losing money to fraudulent bank transfers made using stolen credentials.
  • There are health risks if medical data is abused to obtain medications or procedures.
  • Then there are risks to the reputation of the organization from which the data was stolen, and
  • a societal risk that trust in technology will be eroded by criminal activity, undermining the great potential of digital technology to improve healthcare delivery.

How can we prevent those risks?


There are well-documented security practices that can greatly improve an organization’s resistance to attacks by cybercriminals. These start with data mapping and risk analysis in which all of the personal information handled by the organization is identified and the potential threats to that data are evaluated. “After documenting the risks an organization can plan how it will mitigate them through security measures”, the expert explains. “Low probability risks might be accepted while high impact risks might be transferred through cyber risk insurance.” A weak spot in this process is the underestimation of the level of certain risks, particularly new and emerging risks. For this reason a regular update of the risk analysis is indispensable.

Talking about all this, “it should be noted that, while there is a high level of interest in, and concern about, complex new security vulnerabilities, many security breaches come about because basic security measures were not correctly or not uniformly applied. More than one major breach has been announced as “a sophisticated nation state attack”, but later found to be much more mundane in origin and execution”, according to Stephen Cobb.

Who is responsible in a case of abused data?

Stephen Cobb, Senior Security Researcher at ESET North America.

There are often multiple parties and different levels of responsibility involved in the handling of data. A hospital may collect and store information about a patient, but send some of that data to a billing company which then shares it with an insurance company. “If criminals break into the hospitals’ network and steal data from there the hospital is responsible, even if it has outsourced its data processing”, states Cobb. This is important when thinking about the risks of cloud computing. "However, the data processor may also be held responsible”, adds Cobb.  If personal information or a medical record is stolen from an insurance company that is processing a claim, then that insurance company is responsible. This shows that data security is an important topic that involves every organization dealing with personal data. Cobb summarizes: “In other words, you cannot outsource responsibility.”

“I worry that the level of criminal activity targeting personal data will erode trust in digital technologies, although these have great potential to improve quality of life and living standards around the world” Stephen Cobb apprehenses. Now more than ever we need to manage the risks in an appropriate way as we move forward with new technologies.

Stephen Cobb has been researching computer security and data privacy for 25 years, advising companies, consumers, and government agencies on the protection of sensitive data and systems. Cobb has been a CISSP since 1996 and currently leads a San Diego-based research team for security software maker ESET. He is also working on an MSc. in Criminology at the University of Leicester in England.


Read all latest stories

Related articles


Managing occupancy rates

How technology and data modelling can save hospitals from overcrowding

Overcrowding is a challenge that faces numerous hospitals across the UK. The burden of managing occupancy rates can immediately turn into a major issue that puts immense pressure on hospital staff,…



Improving hospitals’ time efficiency via a Connected Radiology platform

Thales’ expert knowledge in digital technology as well as in hardware and software systems has enabled the company to become a market leader in major innovation fields such as the cloud,…



What data hackers get from hospital

When hospitals are hacked, the public hears about the number of victims – but not what information the cybercriminals stole.

Related products

Beckman Coulter – Remisol Advance

LIS, Middleware, POCT

Beckman Coulter – Remisol Advance

Beckman Coulter, Inc.
Image Information Systems - iQ-Web Portal

Portal Solutions

Image Information Systems - iQ-Web Portal

IMAGE Information Systems Europe GmbH
i-Solutions Health - RadCentre Patientenportal

Portal Solution

i-Solutions Health - RadCentre Patientenportal

OR Technology ORCA - OR Cloud Archive

Portal Solutions

OR Technology ORCA - OR Cloud Archive

OR Technology (Oehm und Rehbein GmbH)
Subscribe to Newsletter