BOSTON — Hackers are looking to affect financial markets more frequently by influencing healthcare stocks, according to Scott Borg, chief economist at the U.S. Cyber Consequences Unit, a think-tank focused on cybersecurity.
Borg, speaking at the Privacy and Security Forum in Boston Monday, admitted that his prediction is dire, but said ignoring it could be far worse for healthcare providers.
Here's how it works: Attackers could take a short sale position against a healthcare company's stock and then cause some kind of harm to the business, likely through a cyberattack, leading share prices to fall. So in addition to causing damage, the attackers make millions in profit.
Borg, who said he often looks at how cybercriminals make money through their attacks, said the ways attackers can affect patients is outright scary. In fact, Borg's group learned about these processes by first figuring out how to launch such an attack themselves.
[Roundup: Here's what happening at the Privacy & Security Forum right now]
"We figured out how to change IV bag recipes, to change all kinds of details of treatment, we figured out how to alter patient records so there was missing information," he said. "We figured out how to run this kind of attack for many months without any likelihood that it would be discovered. We could kill thousands of people and we could spread it around and they would only begin to notice this when the insurance people did their actuarial comparisons six months or a year after we started this."
Turning back to the money-making aspect of such an attack, Borg said the criminals could leak very small details of their attack to the public over time so that the damage to the healthcare company's financial standing is hurt over a longer period.
But while Borg said his group is only predicting this kind of attack, he said they have a solid track record of spotting trends, such as the growth of organized crime backing cyberattacks.
"It's hard to put any number of years before somebody sees these things," he said. "We need to start thinking about this now because after something is happening, figuring out how to do something about it then is going to be really costly."
To start, health systems need to take a look at not only the liabilities they have, but also the areas of their businesses that create the most value. Those are likely going to be the biggest targets.
For example, oncology departments are often highly prized in health systems. In addition to being an area that attracts patients from a larger geographic area, the economics of cancer care means it can be a highly profitable part of a health system's business. That means it would make more sense for a system to put resources into protecting that unit before others.
"The way to figure this all out is to think about how much value is created and what substitutes after a cyberattack," he said.
Twitter: @HenryPowderly
Contact the author: henry.powderly@himssmedia.com
The Privacy & Security Forum is happening in Boston, Dec. 5-7, 2016.
⇒ Privacy & Security Forum Boston: What to expect
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet
