Information Technology and Ethics/Who commits cyber crimes?

Cyber criminals and lawsEdit

There are criminals who commit cyber crimes for different reasons. Some of them steal from companies and private citizens for financial gain, while others steal secrets from not only companies, but governments and private citizens [sic]. Some of the perpetrators aim to disrupt the infrastructure of the government or company. The annual cost of computer crime in the US alone is $2 billion and rising. Hackers test the limits of information systems for the challenge of doing so. Some believe that hackers perform a service by exposing security risks. "Crackers" break into networks and systems to deface websites, crash computers and networks, spread harmful programs and/or hateful messages.

Malicious insiders are employees or officers of a business, institution, or agency that carry out activities intended to cause harm to the organization. Malicious insiders not always employees, they can be consultants and contractors. It is difficult to detect and/or stop malicious insiders. They are authorized to access the systems they abuse. Most systems are vulnerable to these malicious actors because they were designed to keep intruders out. Insiders know how the systems work and how to circumvent them. The organization may be able to take steps to reduce these attacks. Industrial spies steal trade secrets to gain competitive advantage. Hacktivists and cyber-terrorists attack systems in order to promote their ideologies and intimidate governments in order to achieve their goals.

The Homeland Security Act of 2002 included provisions for the Cyber Security Enhancement Act which demanded life sentences for hackers that recklessly endanger lives. It allows for net surveillance to gather personal and private data without a court order. ISPs can turnover users’ records to law enforcement. The computer Fraud and Abuse Act of 1984, 1987 and 1994 carries penalties that include fines and/or imprisonment, when you cover acts of fraudulent trespass, intentional destructive trespass, and reckless destructive trespass.

Cyber crime and the Healthcare systemEdit

In today’s “high-tech” world, both wireless and software-controlled technologies are commonplace throughout the medical world. From the bustling cities of Washington D.C. and Chicago, Illinois to the various small town “one-stoplight” places around this country, the advancement in medical technology has in some way shape or fashion affected all of us in many different ways. Even the normal “checkup” visit to the doctor brings us face-to-face with some form of software-controlled devices such as “surgical and anesthesia devices, ventilators, drug infusion pumps, patient monitors and external defibrillators” [1]. Most devices used in hospitals today are controlled via software and are either connected to the Internet via a hospital Intranet or have the capability to be connected via wireless technology.

And that is where one of the many problems arises——on the Internet. Most, if not everything, can be found, viewed, used, and exploited as long as it is connected to the Internet. Yes, even “high-tech” medical equipment. As long as there is something of value out there in cyberspace, there will always be someone who tries to “hack” it, manipulate it or take it. Whether that is for the good of mankind or the selfishness of one, people will always try to use the internet to their advantage. Coincidentally, there are even people at in society who will try and harm others via cyberspace. Either physically or digitally or in any combination of the two, there are people in today’s world who want to do others harm for whatever reasoning that they can create or even feel the need to follow.

The healthcare industry is no stranger to cyber-crime. For the last ten years or so, most cyber-crimes against the healthcare system were for monetary reasons whether that be through extortion or by stealing someone’s identity.

Hackers broke into a small medical practice's server, encrypted patients' electronic medical records (EMRs) and emails, and demanded a ransom. Instead of paying the ransom, the Surgeons of Lake County turned the server off and called police. It is not known whether the hackers who targeted the Surgeons of Lake County also extorted other businesses--but federal-mandated HIPAA records indicate 37 hospitals and doctors' offices nationwide have been hacked since 2009, resulting in the theft or damage of patients' medical records. The HIPAA records do not count hacks in which less than 500 patients' information was stolen or damaged, or cases in which only credit card or checking account information was stolen. In addition, they only count voluntary disclosures of successful hacking attacks. [2]

Healthcare theft is a growing criminal field, often tied to organized crime, in which uninsured patients use a stolen identity belong to another person for healthcare reasons. These include forged prescriptions for drugs, inpatient or outpatient care, or fraudulent healthcare lawsuits. The criminal gets the medical care; some innocent party and their insurance company receive the bill. At the very least, the victim has to deal with time-consuming piles of paperwork to resolve the problem. More often, credit records and access to healthcare are effectively ruined. [2]

Within the last few years there have been numerous security studies, conferences and demonstrations on the topic of cybersecurity vulnerabilities relating to “internet-connected implanted medical devices” [3], “hard-coded password vulnerabilities” [4] or “by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.” [5]

Implanted devices have been around for decades, but only in the last few years have these devices become virtually accessible. While they allow for doctors to collect valuable data, many of these devices were distributed without any type of encryption or defensive mechanisms in place. Unlike a regular electronic device that can be loaded with new firmware, medical devices are embedded inside the body and require surgery for “full” updates. One of the greatest constraints to adding additional security features is the very limited amount of battery power available.[3]

In hospitals around the country there has been a dangerous rise of malware infections in computerized equipment. Many of these systems are running very old versions of Windows that are susceptible to viruses from years ago. Some manufacturers will not allow their equipment to be modified, even with security updates, partially due to regulatory restrictions.[3]

On June 13, 2013, the Food and Drug Administration (FDA) working closely with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) sent out guidance [5][4] to health care facilities and medical device manufacturers addressing these critical security issues. But the real question is: what if someone actually dies from a medical cyber-attack? Who should be held accountable? The manufacturers? The health care facilities? Many believe that not only are the “hackers” accountable, but so are the companies who manufacture the medical devices——sometimes with malware already installed on them——and the health care facilities who have had lackadaisical security practices for their critical healthcare systems.


  1. Pierson, R. and Finkle, J. (2013, June 13). “FDA urges protection of medical devices from cyber threats.” Reuters. Retrieved June 18, 2013 from http://
  2. a b Ungerleider, N. (2012, August 15). “Medical Cybercrime: The Next Frontier.” FastCompany. Retrieved June 18, 2013 from
  3. a b c Wadhwa, T. (2012, December 06). “Yes, You Can Hack A Pacemaker (And Other Medical Devices Too).” Forbes. Retrieved June 18, 2013 from
  4. a b Alert (ICS-ALERT-13-164-01): Medical Devices Hard-Coded Passwords. (2013, June 13). In Industrial Control Systems Cyber Emergency Response Team. Retrieved June 18, 2013 from
  5. a b FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks. (2013, June 13). In U.S. Food and Drug Administration. Retrieved June 18, 2013 from