There is an enormous disconnect between industry experts, reporters and users when discussing cybersecurity incidents and risks. This leaves a chasm of misunderstanding regarding the severity and scope of what is possible.
First Published 9th October 2019 | Latest Refresh 8th February 2022
To understand what we all really mean by "cybersecurity", a commonality of terms is required.
4 min read | Reflare Research Team
Technological advancements, and the risks that come with them
The health-tech sector is looking down the barrel of some significant healthcare innovations over the coming years. The application of recent technological advances in artificial intelligence, virtual care, and medical robotics will inevitably disrupt the industry as we currently know it, forcing participants to proactively embrace these technologies, reluctantly adopt the inevitable, or be left behind.
The technology already has companies excited. The number of 'artificial intelligence' mentions within healthcare, pharmaceutical and medical device company filings has increased by over 50% in the last three years. The wider rollout of 5G has enabled healthcare providers to invest further into augmented reality services and leverage stronger cloud processing power to deliver better in-the-field care.
However, like all industries that face a technological leap forward, the risks associated with progress aren’t always clearly understood. And given that we are talking about healthcare here, not addressing the risks correctly can produce dire consequences.
A well-funded industry full of ambitious companies, implementing brand new technologies they may not fully understand, conducting high-risk activities... is a hacker’s wet dream.
Hackers and Cybersecurity Providers - ASSEMBLE!
In recent times, we have seen biotechnology companies become an increasingly attractive target for attackers. Unsurprisingly, as this trend has involved, we have also seen cyber security become more of a ‘business critical topic’ for biotech executives as their companies become more and more digitized.
And the cyber security industry knows this. ResearchAndMarkets recently released their latest Healthcare Cybersecurity Market Forecast, where it stated that the US$7.2 billion market is expected to triple in size to US$21.5 billion over the next five years.
So, if you work in the health sector, expect to hear from more people like us (or not like us) sooner rather than later!
But rather than double-clicking into specific risks in health tech cybersecurity, we will use this briefing to highlight a common mistake leaders make when thinking about cyber security: The abstraction into absolute terms. As technology evolves, the question is becoming less “have I been hacked?” and more “to what degree have I been hacked?”.
Some nomenclature
Language is what we use to break down the complexity of our life into simplified chunks that we can easily communicate to others. “The sun will set at 6:30pm today” foregoes information about what location the speaker is in, the colour of the sky, the exact date of ‘today’ and thousands of other details that are not relevant to the conversation of two people. However, while that sentence is perfectly sufficient if the two people are discussing the level of daylight outside before going for a run in the evening, it would be completely insufficient for two astronomers to discuss planetary patterns.
In general, the more complex a topic is, the more detailed the language used to describe it becomes. And the last few years have seen the number of information security topics, that the average person is concerned with, explode. This in turn means that terms like “hacked”, “leaked” or “secure” are often no longer enough to adequately communicate the level of a cyber security incident.
“How much” matters
Let’s look at a hypothetical example. The most common metric in recent cyber incidents is “user data leaked” and it will serve us well to illustrate this point.
When a news article or press release states that a hack led to user data being leaked, there are a number of important qualifying questions you should seek answers to.
The first is what unity the leak is described in. When the number is given in “user records”, it usually at least roughly describes how many people were affected. If the number is given in gigabytes or terabytes however, use caution. While this number is technically correct (and a great metric for professionals performing forensics), it tells us relatively little about the impact of the breach. A compressed archive of credit card numbers, names and expiry dates sized one megabyte can contain hundreds of thousands of records which in turn would be a catastrophic leak despite the small file size. A leak of someone’s private collection of Hollywood movies on the other hand may consist of several terabytes of data but have no major security relevance.
Similar rules apply to user records. A leak of a million user names with no further information is likely meaningless. On most sites, user names are public anyway. A leak of usernames and passwords opens the door for password re-use attacks. A leak of usernames, passwords and email addresses puts a significant share of the affected users at significant risk. A leak of photo ID scans and social security numbers all but guarantees that the affected users will suffer significant consequences. What is leaked, matters.
“When” matters
One of the first and most popular websites used to track if a user has been affected by a basic (but all too common) password security breach is aptly named haveibeenpwned.com (‘pwned’ is hacking slang for ‘hacked’). The name illustrates how most people think of their online security. They have either been hacked or they have not. However, this distinction is becoming more and more meaningless. If you are an average citizen of any first-world country with average internet habits, the answer to “have I been hacked” will always almost be “yes”. It is overwhelmingly likely that at least one of the many accounts you are required to own with various businesses, social media sites or government services has at some point experienced a breach. Whether that breach has been made public or not and whether the breach was the fault of the site’s operator or yourself is beside the point.
The vast majority of users have been affected by a breach at least once. So a much better question would be “When was the last time I got breached, what information was breached and how much of that information is still accurate?” (Reflare concedes that this is a much less catchy question - we are an infosec company, not a marketing firm.)
If your passwords leaked 3 years ago but you have since changed them everywhere, then you are probably fine. If your social security number was leaked just yesterday, then you are most definitely not fine. The nuances matter.
Incidentally, if you are not aware of, when and how you were affected by past breaches, you are most likely not fine.
Use your critical eye
As information security continues to move from a niche subject discussed by industry experts within your company to a daily topic in all employees' lives, the internal language and culture must evolve to correctly convey the significance and impact of events.
Unfortunately, there is and likely always will be a disconnect between experts and reporters, techs and users when discussing breaches and risks. By reading what is reported or disclosed carefully, you can gain a much better understanding of how incidents may affect you. To stay abreast of the latest IT security trends and breaches, subscribe to our newsletter and check out our related research reports on the topic below.