Jack sits at a corner table in a busy fast-casual restaurant, surveying a dinner crowd that's mostly millennials, but also includes a sprinkling of other generations attracted by a familiar menu and free Wi-Fi.
As he watches fellow diners, Jack surfs online, and what he manages to discover just might surprise you. It should certainly worry you.
With a few keystrokes and within seconds, Jack pulls up a local healthcare organization's social media page that clearly features a smiling employee sitting at her desk.
She's wearing her work badge. Displaying her name. Showing her department. And - unwittingly - offering would-be cyber criminals access to her identity and opening a portal into her company's operations.
"Using any number of easily available software programs, I could make a duplicate of her employee badge and then walk into her organization and cause all kinds of trouble, if I was one of the bad guys," Jack says. "Fortunately for them, I'm not one of the bad guys. My job is to help companies reduce those kinds of risks."
The above-mentioned scenario is real, but because of privacy concerns and because Jack must maintain his anonymity in order to be effective, this publication will not divulge his real name or the name or location of the company he works for. Even the healthcare firms or locations he visits to do his job will not be revealed.
But Jack's real name - or that identity of his employer - isn't important. His work is.
With a growing frequency, the healthcare industry is falling prey to cyber security challenges and threats from hackers. A two-year study by Baltimore-based Independent Security Evaluators uncovered myriad security failures at a dozen healthcare facilities, some of which had underfunded security programs or inadequately trained staffers.
The cost is enormous. Bloomberg reports that cyber attacks against the nation's healthcare industry continue to escalate and cost $6 billion a year. Information Week reported (http://www.darkreading.com/attacks-breaches/major-cyberattacks-on-healthcare-grew-63--in-2016/d/d-id/1327779 ) that cyber attacks last year rose more than 60 percent over 2015. Added to the cost to patients whose information and identities were stolen, healthcare facilities face stiff HIPAA penalties for such breaches.
There are four categories used to classify HIPAA violations, with penalties ranging from minimum fines of $100 per violation up to $50,000 per violation. (http://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/ ) The severity of the fines and the enforcement is determined by the U.S. Dept. of Health and Human Services' Office for Civil Rights (OCR). The office has become more aggressive in enforcing the regulations and in 2016 the University of Mississippi Medical Center in Jackson agreed to pay $2.75 million because of a stolen laptop that contained information about approximately 10,000 patients. The organization also agreed to implement a corrective action plan to address the violations.
This is the kind of penalty that Jack works to help healthcare organizations avoid. His company contracts with specific facilities to conduct clandestine stress tests in order to determine security weaknesses and develop protocols to reduce risks.
While security breaches never can be completely eliminated, Jack says they can be drastically lowered by persistent planning and testing.
"Typically a client will engage us to try and infiltrate their facilities and access their records," Jack explains. "Even in this era of cyber awareness, it's amazing how many healthcare facilities don't realize the threats they face, or how vulnerable they are."
How does he do it? Back to the badge.
Recently, Jack's company was hired to test multiple medical and healthcare facilities in areas that included the Mid-South. Armed with a fake facility badge, Jack visited 20 different offices or departments associated with one large healthcare organization. Chatting with employees, making his way around the offices and department stations, Jack made his rounds and was stopped and asked to verify his credentials only three times.
"When one worker found out my badge was fake it freaked her out and she immediately contacted a supervisor to report it, which was absolutely the right thing to do," Jack remembers. "They got it right. Most of them don't."
One recent day on his security patrol, Jack flashed his unofficial credentials to gain entry to a local healthcare office where he told employees that he was onsite "to perform routine computer maintenance." No one questioned his identity and several offered Jack full use of their workspaces and computers.
At one desk, in full view of anyone who walked by, was a sheet of paper with a list of passwords for sensitive files and documents, which Jack copied and documented in his report. At a couple desks nearby, a worker left his computer on for Jack to "check out." Jack subsequently was able to access dozens of Electronic Health Records containing a wealth of patient data.
And at another workstation, hard copies of patient files were left out in the open, with each folder containing personal information such as medical histories, billing details and Social Security numbers.
"The key is to be vigilant about protecting records," Jack said. "Don't allow sensitive information to be available to people who shouldn't see it. Don't hand over your workspace to a complete stranger without verifying his or her identity and making sure that the person is actually supposed to be there."
Once patient information is breached, either by onsite stealing or through remote hacks, cybercriminals may use it to acquire prescription medications, apply for loans or conduct any number of illegal activities related to identity theft.
For Jack, that's the kind of motivation that keeps him going undercover to help bring security risks out into the open.
"Healthcare organizations are glad to work with us because every time we're able to breach their security systems we help them update their policies and train their people in ways to avoid the same thing in the future," said Jack. "I don't feel bad about exposing their weak spots. I'm glad to help them create stronger security measures to safeguard their patients."