How A White Hat Hacker Helped to Avoid a Healthcare Security Disaster
On December 29, 2016, Department of Defense subcontractor Potomac Healthcare was notified about the jeopardizing of more than 11 gigabytes of private data for healthcare workers employed by the U.S. military's Special Operations Command. The compromised files were discovered by white hat hacker, Chris Vickery, who uncovered a flaw in an unprotected remote synchronization service. Upon his discovery, Vickery notified Potomac Healthcare about the insecurity of its data, which contained information dating back to 1988, and included names, locations, Social Security numbers, salaries and assignment units for psychologists, nurses and other Special Operations Command workers, some of which had top secret clearances.
Vickery, white hat hacker, plays an important role in cyber security, acting as what could be described as an "ethical hacker." These experts use their skill set to assess and improve security systems by exposing vulnerabilities before ill-intentioned hackers, known as black hat hackers, can discover and exploit them. Organizations hire these white hats basically to have them hack into their systems, and consequently provide and implement the best practices to make these organizations less vulnerable to black hat hackers in the future.
After being alerted by Vickery, Potomac's unprotected data remained available for over an hour, as it appeared the data was made available by misconfigured data backups. Potomac Healthcare was fortunate no hostile entities were able to obtain the data, and upon learning of their system insecurities, the organization launched an internal review of their system. Upon review they concluded that no government information became compromised, promising to prioritize privacy and security.
While this vulnerable information was not ultimately hacked, a 2016 study conducted by the Ponemon Institute, found that half of healthcare data breaches are caused by criminal attacks and healthcare data is at the forefront of desired information sought by hackers.