David Jones is the director of WestGate Cyber Security, an information security business specializing in helping business and public sector bodies understand and overcome emerging cyber security threats.
Mohammad Al-Ubaydli: Welcome to the Patients Know Best podcast. My name is Mohammad and today we are lucky to have David Jones on the call. David, can I ask you to introduce yourself and tell us about your background. I was fascinated by the last time I had talked to you.
David Jones: Yea, Sure. It going to be an opportunity to talk to you Mohammad. My name is David Jones, and I’m with a cyber security software consultancy called West Gate and we do a bunch of things at West Gate. One is we develop product – some hardware and software in cyber. We also do a lot of relatively early stage research looking at cyber security. We’ve got a particular interest in the position of cyber security and cyber threat and the public services and in particular health. I guess it’s a bit of shared interest there with the good stuff you’re doing at Patients Know Best.
Al-Ubaydli: Tell me about the increasing threat of cyber security. I was intrigued to hear you describe it last week.
David: Absolutely. Around about two years ago, there was a cyber security strategy put in place by the UK government. At the time that it was published it was relatively controversial in that, despite all the public sector cuts that were coming through, cyber security was one of the very few areas that was receiving increased entries funding. More than half a million pounds is being put, 650 million, in fact, has been put into the cyber from the government. And that is all the money coming through. That is a recognition from the government that cyber security is a threat to the UK on all kinds of levels but it’s a threat which they deem as being close to the threat that terrorism; that the concerns the environmental change; and indeed nuclear can bring to the UK. At the very top level of government, cyber is all its perspective is seen being a significant threat. Now that all very interesting but from the layman’s perspective, cyber is seen as attacking us almost on a daily basis. So it’s a rare that a week goes by that some story or other or some kind of problem where information is leaking out of organizations. Sometimes, that’s through nefarious means where people want to steal what you’ve got. Sometimes, it’s internal fraud – what we call in the industry insider threat; obviously, Snowden is the classic case of that recently. Sometimes, it’s shared political motivations so you get people who feel the need to face it in websites and take action against for organization simple because of a political motive. So there’s a whole range of reasons why cyber threat is becoming increasingly a danger that everyone needs to take seriously.
Al-Ubaydli: And just so we get an example of what the government is spending money on so that we get an idea of what we should be spending money as individual organizations. Where was that 650 million going on roughly?
David: A lot of what the government wanted to do was to spend money making sure that systems in the UK and particular the businesses – small businesses – became much more aware and much more prepared in terms of the self defenses. That was pretty much a lot of the motivation. However, as ever, it’s difficult for government – it’s difficult for the public to significantly change behavior of the commercial world and indeed private citizens as well. A lot of the money put aside of the budget was put into two areas. One is the area of beefing up the critical national infrastructure of the UK. It might be difficult to believe that the one of the major threats as a country against the cyber problem is attacks to the critical national infrastructure for things like water, traffic management, and things like the way energy is managed.
Al-Ubaydli: It’s going on right now is that right?
David: Yea. Absolutely. Today. We can be pretty sure that as every day goes by, there are attacks happening certainly for things like energy and critical water supply and these are things happening allegedly by different sovereign states and not necessarily by all people simply trying to screw up where the traffic management is held in the UK. They could be simply trying to get into our systems because once you get into one system you can maybe get into another one. A lot of the money spent is to beef up the national infrastructure and that was a relatively easy money for government to spend because they had control over lots of those things.
The other area has been injection of cash into universities for funding post graduate degrees and for funding some undergraduate education as well. That’s fine but again that’s a relatively easy way for government to pull a couple of levers and it can deploy cash. What’s been much harder for the government to do is to manage any kind of change for diverse citizen on a much broader organizational level. A lot of that is starting to happen now. There are couple of campaigns that have kicked off quite recently through the department of business innovation and skills that are increasing awareness, but it’s a long haul. It’s a hard job.
Al-Ubaydli: So if we look at the organizations or now at the industry. How aware of health care institutions or the industry performing to say to other industries that are better aware of this?
David: That’s a really good question. When I talk about these things, usually there’s about half or dozen of these sectors that actually get it and understand the threat and are active in their defense about it. The people that get it are typically large companies – I meant the very largest – the large companies get it. Companies which are subjected to compliance authorities, FCA get it; FSA get it; mining companies get it; all gas companies get it; anyone else to do with British national infrastructure get it – basically those five sector people get it. And the reason they do is because they’ve been under attack for so long or because the nature of the threat is such… and everybody else and includes health and other public services really don’t see the threat at all. Usually the reason the they don’t see it is that they don’t appreciate the nature of the information they hold and they don’t usually see that as being vulnerable.
Al-Ubaydli: I would have thought that all healthcare care professionals and institutions have a duty to protect that data to protect their patients. You’d think they’d be very aware of the threats.
David: That’s a very good point. The information governance within healthcare organization, particular the NHS and particularly the foundation trust. They really understand the issue to do with the nature of privacy about a patients record and sometimes, the degree of privacy which healthcare professionals can apply to patient records actually works to the detriment of the patient. We know well the difficulties the healthcare sector has in terms of sharing with organizations – with other important providers such as social care or local authorities. There is a view of privacy of information, but often that is an approach that is meant to protect the individuals’ information from one healthcare provider perhaps even individual clinician level onto another one. What health care doesn’t tend to do is to appreciate the value of a nefarious or external threat to information. It’s quite intriguing to look at the way the information commissioner across the UK has published information about data breaches certainly over the last couple of years. If you look at the quarterly statistics the information commissioner publishes over the final three quarters, all of the growth and information breaches that they publish has all been from the health sector in the UK. It isn’t to because the health sector happens to be growing rapidly from low base. Health has always bee the largest sector but the nature of the breach has been growing at a scale that we haven’t seen before.
Al-Ubaydli: This is not because they are better at spotting the breaches but because they are more of these breaches?
David: I think that there are more breaches that come along. I mean obviously one of the things that we are comfortable in health care is being responsible about talking about safety issues and we know how important it is to be very keen to record safety issues because we know it’s the best way to improve quality and safety, but the nature of the information now, I think, is that we really aren’t in the healthcare world being careful enough about managing our data from an external threat perspective. So, I think that’s where the big risk is these days.
Al-Ubaydli: So if you’re working with healthcare providers. How do you explain this to them and more importantly, how do you teach them what they need to do differently?
David: Sure. I think to answer the first part of the question, you’ve got to the very root of the motives of the bad guys and what they are looking for. It’s easy for anybody to think to understand that a credit card number is of value to somebody who works in the criminal world and then it’s easy to understand how information to someone’s ID could be useful and that you could monetize that information. It’s easy to see how potentially someone’s Amazon password could be useful to someone working the criminal fraternity because they can use that perform a transaction.
Al-Ubaydli: Give me some numbers. I was interested in the pricing for these kinds of logins and credit card details.
David: Yea. The number of credit cards, which were available for sale on the black market these days is quite astonishing. We’re used to having a retailer and wholesale commercial world when we do our shopping these days, but there is a retailer and wholesale commercial world on the black market through the internet as well. It’s possible, were you to want to find website on the internet where you can buy blocks of credit card numbers, on a wholesale basis, at typically anything between 50 cents and 2 dollars – usually 1 dollar is round about the going rate for a credit card number, which you can genuinely use to perform a transaction. A lot of the way in which the money is laundered or commercialized forms into two groups – those that can be transacted on the internet online. And that’s the are where banks are increasing the quality of the analysis and fraud that they undertake. We’ve all had sit where we want to buy things on the internet and the transaction has been bounced and we call up the credit card company they immediately say “Yea we realize that it probably was a legit transaction but the reason we stopped because of x, y, z.“ There is slowly an improvement in the credit cards and bank systems to monitor those.
The soft underbelly on the black market where you can take a credit card number where you can buy with a three digit code on the back and it is possible to buy credit card making machines. So for 100 dollars or say, you can buy a machine and generate a white plastic blank credit card and what people still do particularly in the US less in UK because of chip and pin but in the US it is quite common for credit cards to be manufactured almost at home and for people to walk into shopping malls. Typically, the nature of the transaction is to buy a small but expensive item. Handbags are popular. Buy a couple of handbags at a couple of hundred dollars each, get home, get onto ebay.com, and transact those for maybe 350 dollars and you can quickly make a very large profit doing 3-4 transaction on a single credit card. Now once you done them you probably will throw the credit card away, but you probably pay for only a dollar or so for that credit card in the first place. There’s a whole world that goes on around the black market in terms of the credit card and data in particular and the 1 dollar price is a symbol if you like of how much data there is and also how valuable those credit cards are going to be in terms of transaction.
The really interesting one is the value that is available for fully qualified medical records on the internet because that’s the pretty much the most expensive set of data that you can buy on the internet these days. Some of the numbers that I’ve seen in my research are around about 50-60 dollars for a fully qualified medical record. So what you get here is really data stolen from typically an insurance that hold medical insurance and what that allows you to do is in the right circumstance to effectively perform identity fraud where you can claim to be an individual that has got high quality medical insurance. The logic around the scenario here is that an individual who might want to undergo elective procedure could take that data, claim to be an individual whose data they’ve stolen, and undergo that procedure all against their name and obviously billed against their account. That’s one scenario in which medical data has got significant value in the US.
There’s been a very recent case in the UK where there was a private sector org undertaking cosmetic procedures and the story that was reported, just a couple of weeks ago, showed that 490,000 of their records had been stolen and the allegation was that an extortion threat was made against that company. Basically the bad guys have broken into the systems of this cosmetic surgery company, stolen a very large number of records, which included patient identifiable data so there were names, address, email address, and the description of the kind of procedure – the individual was effectively undergoing. The threat in that case was extortion against the organization – straight blackmail. Now, those two scenarios are very different but they give you an idea of the kind of threat that going to be applicable these days.
Al-Ubaydli: With that background, what do you advise the healthcare executives be doing differently. How do they handle these risks?
David: That can become a really difficult one. Having been a non-executive on quite a large health trust before now, I’m very aware that source and emerging issues are only felt to be dealt with when they are on the agenda of the board. I would try and really explain that in this situation that this is something that actually has got to get to the board of the organization. One of the great things that the NHS in the UK and foundation trust level has got is a set of typically qualified non-executives. We’re used to having challenge at board level; we’re used to having non-executives talking about safety and risk issues normally to do with quality of care in the wake of mid staff; in the wake of Maidenhead and Kent has got on beforehand. The UK got a bit of form in finding scenarios where there have been long standing issues of quality that maybe didn’t undergo scrutiny that they should have done.
We are at a stage, I think, where there should be at least a willingness of the boards to understand this. The way to really get this point across is to understand that the nature of the threat facing the health organizations these days are relatively well known. They are things like quality and safety, vulnerable areas of health performance, but so much of the risk is simply not well understood because health is one of those organizations where information itself is almost at the core of everything everybody does. Once you take away the critical issue about hands on nursing care, everything to do with diagnosis and treatment and drug levels and testing, it’s all information based. Once you appreciate the value of that data for what it is then you can see how health and information and therefore protecting that information has got to be on the general boards.
Al-Ubaydli: Is there anything else that you’d like people to understand or think through about these issues?
David: When I talk to my colleagues in information security world, we often talk about how… level where it should [be]. If you talk to people who know a bit then they will all be very humble about their ability to do a great deal about this problem and [feel] very vulnerable about the threat. If you talk to people who don’t know about it, they tend to be blasé. On the one hand, people involved in the industry are always talking about when the tsunami is going to happen. When is the one situation going to occur that will mean the citizens and organizations and businesses and the public sector sit up and take notice how realistic the threat is. We know it’s going to happen at some point, there will be avery large breach and it would be headlines news and lots of finger pointing and it would become very political and everyone is going to say “why weren’t we doing more about this before?” That’s something almost what the industry wants because that’s going to be the Pearl Harbor moment – the wake up moment. There’s a reason why the banks are relatively relaxed when you ring them up and say “Hey! Someone just bought a couple of handbags on my credit care. I didn’t buy them because I live in Newcastle and these were transacted in I don’t know.” The reason the banks are relaxed and will refund your money is that the banks need to maintain your confidence in the bankings system and the whole method by which the credit card will work.
At the point when we do get the big breach, it’s really important that we don’t all panic and start queuing around the blocks to take our money out of banks. It’s equally important when the breach comes in the form of patient records, we don’t suddenly decide that we’re not going to give any information in electronic forms to our healthcare providers. That’s the last thing we need to do. We all have to understand that we got to treat security of information the same way we treat security of your house, in the same way you might take out dental insurance, you know something bad is going to happen, prepare for it and deal with it in a mature way. It’s the maturing of the industry that we need to get over. Once we’ve done that, then we can move on not as a single event but as a process, which is risk managed, just like everything else actually in the health sector that is actually risk managed.
Al-Ubaydli: This is fascinating. Thank you so much for your time.