Tuesday, October 27, 2020

From ransomware to blackmail: cybercrime takes a nasty, evil turn (Cybersecurity Awareness Month, Day 27)

Criminal abuse of digital technology hits new depths of depravity with blackmail of psychotherapy patients, headline

We interrupt our regularly scheduled cybersecurity awareness blog post to bring you this deeply disturbing news:

One or more criminals are trying to blackmail psychotherapy patients after gaining access to their computerized medical records from therapy sessions.

This is not fake news. This is not an imaginary scenario. This is the state of play in cybercrime today: some truly evil person or persons threatening to leak stolen mental health records onto the Internet unless patients pay up. Some of the people whose records have been stolen are underaged.

I'm so angry about this I don't think I will have much more to say in today's article for Cybersecurity Awareness Month. I was going to publish something to raise awareness of the cybersecurity skills gap but am putting that off until tomorrow. 

Here's what is known publicly so far: this psychotherapy patient blackmail incident is still evolving. An early report from Politico provides the basic details. There are more details in this Security Magazine article, and SC Magazine is reporting that the CEO of the psychotherapy center that was breached has been fired.

Who should we blame? Criminals and governments

While firing the CEO of the organization that got breached may well be the right thing to do, the bulk of the blame for this heinous incident lies squarely on the shoulders of the person or persons who perpetrated it, and the government that failed to adequately deter this from happening to its citizens. 

I am not singling out the government of Finland, where this particular incident is centered; every country in which ransomware attackers are operating and thriving has to share this blame. This is a dereliction of a government's duty to protect the people who pay it to protect them. 

Just a few days ago I was trying to raise awareness of What's different about health data security (Cybersecurity Awareness Month, Day 22). I flagged the very real possibility of suicide triggered by the revelation of medical information, made possible by weaknesses in computer security and human ethics. That was in the context of an incident that occurred 25 years ago. 

The risk of such a tragedy has not gone away. The amount of sensitive medical information stored in bits and bytes today is exponentially greater than it was a quarter of a century ago. I know from personal experience that suicide can occur in the wake of sensitive personal information being revealed. Even the possibility of such revelations can be enough to push someone to the edge.

Yesterday, I highlighted the question what could possibly go wrong? I did so in the context of cybersecurity folks asking that question to help surface potential problems with new technology. Clearly, there are cybercriminals out there who need to think long and hard about what could possibly go wrong when they execute a ransomware attack against a medical facility. 

It is hard to believe that this needs to be spelled out, but I'm going to: if the medical facility refuses to pay your ransomware demand, do not try to blackmail the patients whose records you have illegally accessed. People may die. And if that happens, the level of moral condemnation heaped upon you may well haunt you for the rest of your life. 

No comments: