Is Drone Skyjacking The New Hijacking?

Screen Shot 2015-06-23 at 6.23.41 PM

Right now most civilian drones are owned by hobbyists for recreational use, but many companies are exploring commercial uses. Drones have already been used for shooting nature documentaries and commercials, aerial surveys on remote properties, checking on crops for farmers and even delivering pizza. They have the potential to revolutionize many aspects of our daily lives. But drones haven’t escaped the notice of cyber criminals.

Why Are Hackers Targeting Drones?

Drones can carry small payloads, which often includes a camera for transmitting wireless video back to the operator. Cyber criminals might tap into the video signal and gain access to valuable surveillance information, or simply hijack the drone to steal it and its cargo or perform other illegal activities.

It seems certain that at some point drones will be required to carry identification information. When that happens, a cyber criminal might hijack a drone to avoid identification much like a street criminal would steal a car to perform a robbery.

Even with legal drones one of the biggest security concerns is their current lack of traceability. Here in the United States, a civilian drone entered the restricted area around the White House during the early morning hours of January 27th and crashed on the lawn. Officials had no way of identifying who it belonged to or what their intentions were. The crash turned out to be an accident and the operator turned himself in the next morning, but it was a wake-up call for security experts. Other operators aren’t so benign. In the United Kingdom police have already confirmed high-tech burglars are using drones to identify houses vulnerable to break-ins.

Why Are Drones Vulnerable to Hacking Attempts?

Unlike simple remote-controlled helicopters, drones have their own computing power. Think of them as flying smartphones without the screen. They have GPS capabilities and can fly along pre-programmed paths, or the operator can manually control them from afar using WiFi signals. If a drone loses control signals from the operator it can return to a designated location on its own.

On the same day the drone crashed on the White House lawn, a cyber security expert uncovered a flaw in Parrot® drones that allowed malware to kill their engines and make them fall from the sky. If the drone is high enough, the malware can restart the engines and take control of the drone.

This isn’t the first time Parrot drones have been used in a drone hack. Two years ago, a legal hacker released instructions on how to build a Parrot drone capable of tracking down other drones and hijacking them using wireless signals. Dubbed SkyJack, the hijacker drone monitors wireless signals and targets MAC addresses registered to Parrot drones. It can force the targeted drone to disconnect from the device controlling it and connect to the hijacker’s signal.

The problem is lack of stringent security measures built into drone operating systems. Many drone models have no security or rely entirely on weak WiFi security measures. As drones become more popular and widely used, drone manufacturers must take the threat of potential drone skyjackers more seriously.

About Us

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, and government organizations to manage secure facilities and maintain wireless networks.

How Do You Set Up A “No Phone Zone”?

image description

Cell phones are a modern marvel, but they can also be a tremendous problem for any organization trying to enforce security or safeguard confidential information. The effects of contraband cell phones can be tremendous. Cell phones have been used to intimidate witnesses in criminal courtrooms, break prisoners out of jail and steal classified information.

The private sector isn’t immune to the risks of smuggled cell phones. Attendees use them to record concerts. Students use them to cheat on tests. They’re also unwelcome guests in call centers, secure facilities and confidential meetings. The infamous “47 percent” quote that may have cost Republican candidate Mitt Romney the 2012 Presidential election was secretly recorded on a cell phone at a private fundraiser where phones were prohibited.

Ineffective Detection Tools

The major challenge in keeping cell phones out is they are easily concealed inside clothing and handbags. The recent mobile trend is toward larger smartphones, but feature phones are still readily available and some models are smaller than a credit card. These old-school devices are primitive compared to modern smartphones, but they are capable of sending and receiving texts, recording audio and taking pictures and video.

Conventional metal detectors can find many phones, but walkthrough units are bulky and not portable. Handheld wands are portable, but their range is limited to a few inches so an operator must sweep the detector over the subject’s entire body. Both types will alert to other metal objects.

Most cell phone detectors rely on radio frequency signals to locate devices, but they are ineffective if the phone is powered off or has the wireless antenna disabled. Fortunately, there are tools available to specifically uncover hidden cellular devices, even if they’re not transmitting

Effective Detection Tools

The BVS SentryHound is a portable cell phone detection system that scans subjects as they walk between two posts. It’s very similar to the anti-theft scanners retailers use to prevent shoplifting, but instead of security tags it detects ferromagnetic compounds inside the phone. The posts have a single row of LED lights running their entire length. When the SentryHound finds a device, it sounds an audible alert and illuminates the section of lights closest to the phone. It can also trigger an external device such as a security camera or remote alarm.

The Manta Ray is a handheld cell phone detector that also detects ferromagnetic compounds. Operators can use it to scan handbags, luggage and small parcels without opening them. Buckles and studs will not trigger false alarms.

The SentryHound and Manta Ray are ideal for temporary and permanent “no phone zones.” They allow operators to scan subjects and their possessions quickly and effectively, without labor-intensive searches or compromising the subject’s privacy and dignity.

 

About Us

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, and government organizations to manage secure facilities and maintain wireless networks.

LastPass Hacked And Why I Have Never Used It

lastpass

I have always felt the concept of LassPass as well as other password managers makes sense for users that would otherwise create simple ‘easy to remember’ passwords as opposed to long strong complex passwords with a password manager. Surely, having numerous passwords in the cloud encrypted is better than jotted down on a sticky note that resides under your keyboard, right? The reason I personally do not use password managers like LassPass is the distant fear of a major hack. What if my password manager gets hacked and a hacker gets my master password? This would be tantamount to giving a thief the keys to my front door when I am heading off to vacation.

It seems my fears, as well as many other security experts’ fears have come to fruition with the announcement that LastPass was a victim of a targeted attack in which user information was compromised. On Monday, June 15th, LastPass announced through a blog post that hackers had breached their databases and compromised email addresses and password reminders as well as encrypted master passwords. Apparently, they discovered the breach after detecting rather suspicious activity on their network.

What can hackers do with the compromised information?
Unfortunately, there is a percentage of LastPass users that will undoubtedly be the victim of targeted email phishing attacks as a result of this breach. Phishing is an effective, focused attack where the cyber thugs send victims emails with an embedded link that fools users into revealing more data. LastPass users have been informed by LastPass about this breach and they recommend that users update their LastPass master password. Cyber thieves have already keyed in on this and are no doubt, readying focused email phishing attacks that might have a message:  UPDATE your LastPass master password immediately. An unsuspecting LastPass user may click on the attachment and be redirected to a site that looks awfully close to LastPass but is just there to collect more information from naive users. They would be prompted to enter their old master password and then asked to create a new complex strong secure password. Now the cyber hackers have the master password without having to steal it or decrypt it. The unsuspecting users have hand-delivered this information directly to the hacker’s servers.
Even though they did not get all the encrypted individual passwords, the breach could also result in other compromises such as unlocking a user’s email account where you need the email address and password reminder allowing them to gain access to your email and a trove of other valuable private information.
If the hackers are truly advanced there is a chance, although unlikely, that they can hack the encryption to crack the master password. This is extremely difficult, but then again, who would have thought a security company that provides encrypted password protection would ever be hacked in the first place? To make matters worse, this is actually the second breach that LastPass has faced. Four years ago, LastPass also faced a targeted attack.
What can LastPass customers do?
I highly recommend to anyone reading this to change your LastPass master password. Do not use passwords based on any personal information such as your spouse, child, or pet’s name, birthday, address, etc. Also make sure your password is not anything that can be easily obtained from a search or pulled from social media. Your master password should be at least 15 alphanumeric characters and have a mix of numbers, symbols, with both upper and lower case characters. Keep in mind, 80% of ALL security breaches involve stolen and weak passwords.
It is important if you are accessing your LastPass account remotely or from another device to utilize multi-factor authentication. This is an added layer of security that requires a single one time password that is sent to your mobile phone as a text, for example.
At the end of the day we all live in a corrupt world where cyber thieves prey on the innocent. This breach will certainly be a wake up to many users. I personally use a little black book that is kept under lock and key in a locked safe, in a locked room, in a locked building that is monitored 24/7 with cameras/DVR’s and an alarm. I change my long & strong passwords every three months and am a bit paranoid. I was not always this paranoid until my company was hacked; credit card, debit card, checking account, twitter account, web site, etc. I decided to share my trial and errors in being a victim of repeated hacks and what practical steps people can take to protect themselves.
Look for my upcoming book entitled Hacked Again and in the meantime, subscribe to my 2 Minute Cyber Security Briefing video podcast on on iTunes or Youtube for the latest cybersecurity news and tips.

M2M Dead Ends And How To Avoid Them

dead-zone-cell-phone

If your M2M site is in a remote area on the edge of the coverage zone, the carrier selection and antenna placement can mean the difference between having good, reliable signal and having none.

A carrier’s coverage map can tell you whether service is available in the area and sometimes how fast the service is, but they are not a reliable indicator of whether signal is available at the site. Most coverage maps do not give specific information about where the towers are located.

Even if you know the location and carrier of the nearest tower, it doesn’t guarantee signal at your site. There are many factors that affect the tower’s coverage radius. The antennas placed on the tower are directional, and the range of the tower varies depending on the cellular technology. Even the number of devices using the tower can affect the service on the edge of the tower’s coverage radius.

The topography of the landscape can also affect signal strength. Physical obstructions such as hills and trees can also block the signal. If the surrounding terrain is hilly, the maximum range of the tower could be as short as a few miles. Towers have a small “dead zone” around them, and the dead zone grows in proportion to the tower’s elevation. Carriers prefer to place towers on high ground to maximize their range, but if the tower is situated on a large hill and your site is located directly at the foot it may fall into the dead zone.

There are also temporary conditions that can affect whether your site has service. Towers have a limited number of available connections, and the more devices that are connected the smaller the maximum coverage radius gets. If a large number of devices are connected at the same time, the tower will start to refuse new connections until an open channel is available. This is a serious issue in rural areas where the carrier only has one tower covering the site. Weather can also affect the signal strength. Rain and strong winds cause interference that can put your site out of communication range.

Once you have determined which carriers in the area provide service, you must measure the available signal at your site and choose the best location to place the antenna. BVS manufactures tools that can help you determine the optimal carrier and location for your M2M installation, minimizing deployment time and helping you avoid costly mistakes. Contact us today for information on our Squid-PRO M2M Installation Tool.

About BVS:

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, and government organizations to manage secure facilities and maintain wireless networks.

Global Governments Attempt to Peel The Onion Router

The Dark Web 07g

Tor has been embraced by lawful and unlawful users alike. It helps those who value their online privacy and dissidents who live in countries with oppressive governments, but it also provides ways for cyber criminals, terrorists and other bad guys to avoid identification. This has made breaking Tor’s anonymity a top priority for government agencies both at home and abroad.

What is Tor?

Short for The Onion Router, Tor is a network of donated servers run by volunteers around the globe. Tor works by routing traffic through a random network of computers called relays. For example, say you are located here in Maryland and want to access a web page on a server in Australia. Under normal circumstances, you type in the URL and the packets take a more-or-less direct route from your computer to the Australian server and back.

With Tor, the packets may bounce from relay to relay anywhere in the world, and at each at each step the traffic is encrypted. Each relay only knows where the packet came from and where it is going next. No single computer in the chain knows the entire route. This is what makes Tor users so difficult to identify.

In the United States:

The United States government seems to be of two minds about Tor. On one hand, Tor is a brainchild of the U.S. military. It was created to protect whistleblowers and journalists operating in restricted areas from repartitions, and in 2012, over half of the Tor Project’s revenue came from government grants.

On the other hand, the National Security Agency (NSA) has been working to unmask Tor’s users. The classified documents released by Edward Snowden in 2013 revealed the NSA has had success in separating Tor traffic from regular Internet traffic. This is due to their ability to monitor huge chunks of Internet traffic through connections to the large telecommunications companies that provide Internet access to most of the country’s population.

They have been less successful in separating one Tor user from another. Their best success has come from not from the Tor package, but from the browser it comes from. The default Tor package uses the Firefox browser, which has some vulnerabilities. Most of these vulnerabilities come from plugins like Javascript and Adobe Flash.

Most governments cannot use the NSA’s technique for separating Tor traffic from normal traffic because they lack the close ties to telecom companies or the ability to monitor large swaths of Internet activity in real time.

In Russia:

Last year the Russian Ministry of the Interior ran a contest for Russian nationals and companies with a goal of finding a workable method of de-anonymizing Tor’s users. The grand prize? A contract worth a cool 4 million rubles, equivalent to $111,000 USD. News reports indicate the contract was awarded, but the Russian government did not name the winner.

In China:

While the Chinese government has been silent on what efforts they are taking to unmask Tor users, it is known they have taken the approach of blocking access to the Tor software and public relays. The “Great Firewall of China” is capable of deep packet inspection and can identify and block non-public relays based on specific protocols unique to Tor. It is possible for Tor users in China to get around these blocks using different techniques.

What’s in Tor’s Future?

The Tor Project has a core of a small number of employees, but uses a network of volunteers and crowdsourced labor to patch vulnerabilities and keep its users anonymous. When the annual Black Hat security conference announced a panel on how to de-anonymize Tor users, the team went to work on closing the loophole before the conference even took place. It seems that for now, Tor will remain a useful tool for those who wish to keep their online activities secret, for better or worse.

About The Author:

Scott N. Schober is a Cyber Security Expert and the President and CEO of Berkeley Varitronics Systems, Inc., a 40-year-old provider of advanced wireless RF test and security solutions. Scott has overseen the development of numerous cell phone detection tools used to enforce a ‘no cell phone policy’ in correctional, law enforcement, corporate, university, military and secured government facilities.

What Every Commercial Operator Needs To Know About Distracted Driving

distracted_driving_trucks

In the midst of Distracted Driving Awareness Month, it’s easy to overlook the many commercial drivers and operators that we travel amongst everyday. Distracted driving isn’t just about teens using their smartphones while driving. It affects all of us and involves any person operating a moving vehicle whether they are a private citizen or a commercial driver.

The Federal Motor Carrier Safety Administration prohibits commercial drivers from using a cell phone while driving, and most states either prohibit all drivers from talking on the phone or require them to use hands-free devices. Many companies that employ commercial drivers also have policies against cell phone use. In spite of all this, the sad reality is some drivers still engage in distracted driving behaviors. Even though commercial drivers are trained and licensed professionals, they’re still human and feel the same temptations.

The risk is increased when commercial vehicles are involved because many commercial vehicle types have long braking distances and are difficult to maneuver in an emergency situation. Large vehicles like semis and busses can do a lot of damage even in low-speed crashes. And even though passenger and freight trains are on rails, speed around curves, track switches and vehicle/pedestrian railway crossings are critical areas that must be constantly monitored. If a commercial driver or operator causes an accident, in addition to possible loss of life and injury it leaves their employer open to fines and expensive litigation.

Types of Distractions

A 2009 study of commercial truck drivers found drivers who engaged in texting while driving were more than 23 times more likely to be involved in a close call or wreck. Texting or using a smartphone while driving is one of the most dangerous things a driver can do behind the wheel because it causes three types of distractions:

Cognitive distractions are caused by thoughts and feelings. They include things like memories, emotions and conversations with passengers.

Manual distractions are when the driver takes one or both hands off the wheel to perform a task not directly related to driving. This includes tasks such as eating and drinking, adjusting the radio or mirrors and manipulating a phone, GPS or dispatch device.

Visual distractions are caused by objects or events that cause the driver to look away from the forward roadway. Billboards, accident scenes, street signs and people or animals on the side of the road can all be visual distractions.

Technology Helps Commercial Fleet Owners Fight Distracted Driving

Companies that employ commercial drivers need to take steps to eliminate distracted driving, both for the safety of the public and to protect their drivers and the bottom line. The problem is many commercial drivers ride alone so the chance of detection is small. Unless a co-worker or member of the public catches a distracted driver in the act and makes a report, few companies are aware they have a problem until the driver causes a wreck.

Even if the company uses a dash cam, drivers can block the camera’s view while they text away. Last year a trucker on an Arizona highway was using his wallet to block his dash cam while he used his smartphone and struck a parked police car, killing the officer inside.

BVS is committed to helping commercial fleet owners solve this serious safety issue by manufacturing devices like TransitHound™ that monitor cell phone use of train, bus or fleet operators behind the wheel. Contact me today for information on how your company can increase safety and lower fleet costs by reducing distracted driving.

About our company:

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools, for businesses, and government professionals to manage secure facilities and maintain wireless networks. BVS provides engineering, prototyping, just-in-time production runs, quality testing, software, tech support, and training plus our guarantee that products perform as specified.

The Grass Is Always Greener On The Wireless Side

sprinkler

The sun shines bright as it rises in the distant horizon shimmering across the lake of a magnificent golf course. You pull the sock off your favorite Big Bertha driver excitedly as you meander to the tee box for your first shot of the day. Time stops for a brief moment and you are in disbelief that you finally are able to spend a quiet day playing 18 holes. The deep green relaxes you as your club launches your Titleist 375 yards – just a foot from the pin. As you gleefully walk towards your ball, you notice the perfectly manicured grass and wonder how do they keep it so green?

There is one secret to green grass, water and lots of it. The average golf course thirsts for 35 million gallons of water a year. To effectively get this water evenly spread over the 18 holes requires a network upwards of 1,500 sprinklers spaced 70-80 feet apart. The average course runs sprinklers up to 8 hours a day, everyday. To effectively control a massive system such as this takes advanced technology.

When golf courses are designed, the irrigation system is carefully engineered to keep the grass green, minimize water usage and do all this while remaining hidden to anyone on the course. Irrigation companies use numerous sensors monitoring temperature, humidity, and moisture within the turf to properly irrigate the golf course and keep it green. Sprinkler heads are typically controlled through a 450 MHz wireless paging system allowing the 1,500 sprinkler heads to be remotely controlled automatically. The wireless sensors have technical range limitations as well as FCC transmission guidelines to comply with. To effectively install and maintain an advanced wireless irrigation system requires an equally advanced tool that can measure the signal strength. Engineers and installers need to measure how well the RF (Radio Frequency) signals propagate within the confines of a given course to maintain adequate signal coverage.

When designing a wireless network there is even a need to factor in wireless obstructions such as leaf foliage; the leaves on trees hold a tremendous amount of water which attenuates an RF signal’s propagation characteristics. There is also a need to verify that there are no other nearby interfering RF signals within the same band.

Irrigation companies turn to BVS for their Mongoose™ signal strength meter to tackle their wireless challenges. The Mongoose unit is a handheld and ruggedized calibrated field instrument that instantly measures the 450-470 MHz band aiding in installation and maintenance of the wireless network.

Next time you are driving down the fairway or putting for birdie, stop for a moment and enjoy your day away from reality. Know that high-tech solutions are always working behind the scenes to ensure the grass stays green.

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools, for businesses, and government professionals to manage secure facilities and maintain wireless networks.  BVS provides engineering, prototyping, just-in-time production runs, quality testing, software, tech support, and training plus our guarantee that products perform as specified.

Teens & Smartphones Part of Bigger Distracted Driving Problem

distracted_driving

Distracted driving has become a major problem on America’s roadways. According to the National Highway Transportation Safety Administration (NHTSA) in 2013, 3,154 people were killed and 424,000 were injured in crashes caused by distracted driving. The NHTSA estimates during daylight hours over 660,000 vehicles are being driven by someone using a cell phone at any given moment.

Drivers on cell phones are what almost everyone thinks of when talking about distracted driving, but distracted driving is caused by a wide variety of behaviors. Performing tasks such as grooming, fiddling with the radio or navigation system, talking to passengers and eating or drinking behind the wheel can also cause fatal distractions.

Teenage drivers are most at risk. Researchers at the University of Iowa examined dashcam video of 1,691 crashes with drivers aged 16 to 19 and found 58% were either inattentive or involved in a non-driving-related activity when the crash occurred. Drivers who were using cell phones spent an average of 4.1 seconds out of the final 6 seconds before the crash looking away from the road. They also failed to react before impact more than half of the time.

The Multitasking Myth

Many drivers think they can multitask without affecting their driving performance. In reality, the human brain is terrible at dealing with more than one thinking task at a time. Instead of processing everything simultaneously, it switches back and forth between tasks. Every time the brain switches focus, there is a recovery period where it is not functioning at optimal levels. While there hasn’t been much research focusing on multitasking drivers, studies focusing on workers have found multitasking increases mistakes, lengthens learning time, impairs retention and lowers productivity.

Studies have found drivers using cell phones actually have slower reaction times than drunk drivers with a .08 blood alcohol level. When their brain is concentrating on a task other than driving, drivers can easily miss cues they would have noticed if they were focused on driving. Many at-fault drivers who survived distracted driving accidents say they never saw the vehicles or pedestrians they hit.

Smartphone Apps Provide Safe Driving Solutions

Smartphones catch a lot of the blame for distracted driving, but they can actually help put the brakes on it as well. All modern smartphones allow the user to turn off texts and notifications by turning on flight mode, and most feature a special driving mode with oversized icons and simplified menus. There are even apps that disable calls, texts and notifications automatically when the car is moving. These apps calculate the vehicle’s speed using GPS data. Some even send alerts to parents when the vehicle exceeds the speed limit or engages in risky behavior like hard braking. These apps vary by smartphone platform, so check your device’s app store for specific apps.

Distracted driving deaths and injuries have been falling on average over the last few years thanks to legislation and education efforts, but there is still a long way to go. So far we’ve only looked at distracted driving by the general public. Next week we’ll look at commercial drivers.

Sources:

https://www.aaafoundation.org/sites/default/files/2015TeenCrashCausationFS_0.pdf

About the author:

Scott Schober is a cyber security expert and CEO of Berkeley Varitronics Systems which designs and manufactures innovative, RF analysis and wireless threat detection tools, for businesses, and government organizations to manage secure facilities and maintain wireless networks.

Teachers Have New Enemy In War On Cheating

cheating_students_social_media

Back in the days before the Internet, ethically-challenged students could make a quick buck by selling copied test questions to other students who still needed to take the test. Now students are trading copied tests on the Internet using social media instead of in the hallways.

In the old days, most tests were not standardized so students in one district might take a totally different test than students just a few miles away. The few standardized tests such as the ACT and SAT were given to almost all students within just a few days.

Tests are copyrighted material, and testing companies monitor social media services like Facebook and Twitter using automated software. The software scans user comments, looking for keywords or trigger phrases. Scanning social media for advanced tests such as college admittance and professional licensing exams has been going on for a long time, but social media monitoring for K-12 tests is fairly new.

Adoption of Common Core standards has led to an increase in the number of standardized tests, and changes to the school schedule in some areas has lengthened the testing window significantly. Students in one state might be taking the same test as students in a different state with as much as a month between them. If a student who took the test early shares information about the contents and material it covers, students who take the test later have an unfair advantage.

Test Security and Privacy Concerns

Last month the test publishing company Pearson came under fire for deleting a New Jersey student’s tweet regarding a question on a Common Core test. Pearson also informed the New Jersey Department of Education (DOE), which then contacted the superintendent asking school staff to discipline the student. Parents and Common Core critics blasted the test publisher and the New Jersey DOE, accusing them of spying on students and invading their privacy.

Originally an unnamed state DOE employee indicated the deleted tweet included a link to a picture of the test, but that wasn’t the case. The student’s message did not compromise the test contents.

Pearson issued a statement defending their actions, though they did change their policies regarding matching online accounts to students. Pearson had been matching the names to school rosters, now they are giving the names to the state DOE.

Smartphones, Social Media and Test Security

Even though a cell phone was not involved in this particular incident, they do pose a significant threat to testing integrity. Students use them to cheat by looking up answers, and most smartphones come with social media apps built right in. A few snaps with a smartphone camera can compromise the entire test. Berkeley Varitronics Systems offers tools educators can use to detect and locate cell phones being used in the classroom or before they even get that far. Contact us for more information about maintaining the integrity of your testing environment.

About Us

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, government and educational organizations to manage secure facilities and maintain wireless networks.

Why Healthcare Hacking Has Become Big Business

healthcare_hacker

As banks and large retailers have taken steps to harden their networks, hackers have turned their attention to healthcare providers. Just recently, Premera announced a breach that took place last year may have exposed the personal and financial data of approximately 11 million customers. Last month, the nation’s second largest health insurance company reported the information of approximately 80 million people was exposed to hackers in a breach discovered on January 29th.

There are several reasons hackers have focused their attention on healthcare companies, even though companies in the industry don’t usually handle financial transactions.

Healthcare companies keep patients’ personal and financial data. Many patients use online payment options, which means their records may have information such as bank accounts and debit/credit card numbers. Even without financial data, criminals can use personal data to commit crimes such as identity theft and insurance fraud. They can also use email addresses to target patients for phishing scams. While email addresses are easy to change, other information such as names, birth dates, physical addresses and social security numbers are much more problematic if compromised.

Healthcare companies keep and share patient records. As part of the Affordable Care Act, healthcare providers are required to maintain their records electronically and share the data with other healthcare providers. This means if a patient must visit a doctor while on a trip or sees a specialist at another facility, the new doctor can access their records and information. This is important because patients can’t always tell the new provider important details like life-threatening allergies to medications.

Sharing information has real benefits for providers and patients, but it also increases risk of exposure. Because healthcare providers share data, if a criminal uses a patient’s data to obtain prescription drugs, the false prescriptions could become a part of the patient’s record and affect a doctor’s medical decisions in the future. For example, some drugs are incompatible. If a false record shows a patient is taking a drug that is not compatible with the preferred medication, a doctor may be forced to choose a less effective alternative medication.

Healthcare companies are a soft target. Companies in the healthcare industry are more focused on regulatory compliance than security. In the wake of the ACA many small software companies sprang up offering patient record and database software. Some healthcare companies developed their own software, but many opted to purchase off-the-shelf products from these companies. Many have gone out of business or been absorbed into other software companies, leaving the healthcare provider without security updates.

Even when security problems are known and updates are available, they often go for long periods without being patched. WhiteHat Security recently revealed only 24% of known security flaws in the healthcare industry are patched at any given time. Even more troubling, the average length of time for a healthcare site to fix security problems is a whopping 158 days.

Healthcare companies must take steps to harden their networks against hackers. Security breaches can have long-lasting effects on a patient’s financial and physical health.

Learn more about healthcare and other hacking targets. Subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit www.CyberSecurityDictionary.com for more terms and definitions.