Cyber Attacks—Why CEOs Should Care About Cybersecurity

The year 2015 saw an unprecedented increase in cyber attacks with hackers hitting companies and government agencies month after month, with alarming results. It is estimated that 300 million records were leaked in 2015, and over $1 billion stolen. (Szoldra, Paul. (December 29, 2015) “The 9 Worst Cyber Attacks of 2015.” TECH Insider.) With cyber breaches of Ashley Madison, health insurer Anthem, Inc., JP Morgan Chase, and even the White House in 2014, there is no denying THIS is a serious problem! But what's worse than stolen identities, money and personal records, are the threat these breaches are now having on lives, as two of the latest hack jobs were performed on hospital chains, forcing some patients to be moved to other hospitals for testing purposes.

In 2015, thousands of patients were exposed by a former employee at third-party medical biller Medical Management LLC. Excellus BlueCross Blueshield failed to discover a cyber-intrusion that exposed millions of patients until they hired an outside firm to conduct a forensic assessment of their IT systems almost two years later. In 2014, New York Presbyterian Hospital and Columbia University agreed to pay $4.8 million in fines after a software developer leaked PHI. Last summer, University of Pittsburgh Medical Center announced its fourth data breach in three years. Perhaps most alarming of all, last month a Hollywood hospital's computer network was held hostage by ransomware, depriving staff of access to medical records and test results and forcing the hospital to divert patients to other facilities. Faced with no other option, the hospital chose to pay the ransom.  In our own audits, Grassi & Co. professionals have uncovered major flaws in the technical security of business associates in possession of the PHI of hundreds of thousands of patients.

Hackers will stop at nothing not only to collect money, but to collect more data for future cyber attacks. Most recently, Verizon Enterprise Solutions – a division of Verizon dedicated to helping large businesses handle data breaches – was hacked. The personal information of 1.5 million enterprise customers was stolen from Verizon's customer portal, and is now up for sale on the internet's black markets. Though the effects of this breach may not be immediately felt, it's likely that the true value of this breach will come in the form of future targeted spear phishing attacks. Executives with non-public email addresses may soon receive fraudulent emails that appear to be sent by their once-trusted cybersecurity consultancy, and stories of more breaches at more companies may follow. What we know for sure is that hackers search for points of entry to attack, and even cybersecurity companies are not immune from cyber crime.

Unfortunately, there is no universal solution. Each of these breaches had a different root cause, and we can be sure that hackers will only become more sophisticated and clever. Attack methods are diverse, but the risks are the same – lax or outdated tech security threatens your institution's reputation, people's identities, fines, sanctions, lawsuits and, worst of all, interoperability of critical systems, are all risks that must be considered.

Some prevention tips are as follows, but, again, nothing is full-proof:
  • Document IT security policies and keep them up-to-date.
  • Maintain workstations and keep servers up-to-date with security updates and antivirus.
  • Educate management and staff on the importance of IT security and best practices.
  • Monitor your IT infrastructure to make sure you can detect a breach if it happens.
  • Periodically review your cyber security performance – are your company's physical and technical controls actually functional? Is your IT consultant responsive?
  • Review the security of any consultant, vendor, remote worker, or client that has access to your company data or networks – hackers will always target the weakest link.
If there is a lesson to be learned, it's that there has never been a better time to perform an independent assessment of your institution's IT security controls, train your staff, and demand the same before you do business with anyone who would have access to your sensitive data.
With assistance on preventing cyber-attacks, contact Guido Gabriele of Grassi & Co. at