State-sponsored hackers may not be after money, but would also be interested in such data because they could then build a clearer picture of their target.
That, said Philip Lieberman of security software company Lieberman Software, would increase the chances of any targeted email attack, or spear phish, successfully obtaining confidential data.
Others said that, given the data affected included job histories, those targets might be in other government departments. “It’s likely this is less about money and more about gaining deeper access to other systems and agencies,” said Mark Bower of HP Security Voltage, a data security company.
This interest in more granular data is pushing hackers of all stripes into more inventive ways of penetrating the defenses of hospitals and other institutions holding such data.
TrapX, a cybersecurity company, said it had discovered criminal gangs from Russia and China infecting medical devices such as X-Ray systems and blood gas analyzers to find their way into servers from which they stole personnel and patient data.
Other security researchers agreed this kind of attack was becoming more common.
Billy Rios, founder of security company Laconicly, said he had found infected systems while working with several healthcare organizations. “Clinical software is riddled with security vulnerabilities,” he said.
A survey by think-tank the Ponemon Institute issued last month said that more than 90% of healthcare organizations surveyed had lost data, most of it to hackers.
“This is going to get worse before it gets better,” said Carl Wright, of TrapX, which discovered the breaches via medical devices.