A Conversation with an Ethical Hacker

No one understands the vulnerability of sensitive information better than Kevin Johnson because he experienced it first-hand. At 9 years old, his daughter was diagnosed with a medical condition, and six months later, her identity was stolen. Now 13 years old, she has to deal with this breach of security the rest of her life. That's why he became an ethical hacker—to protect others from the breach of data and its consequences. 

HIMSS16 sat down with Johnson to discuss ethical hacking, his role, and the biggest vulnerabilities and challenges in healthcare today!

What does an ethical hacker do?

 I’m self-prescribed as “Professionally evil”.  As the owner of Secure Ideas, I hire people to simulate hacking—evil, and break into a company—professionally. I show companies their vulnerabilities, how I could’ve stolen data, the risk and what needs to be fixed.   Ethical hacking is similar to hiring an alarm company to come out and check the windows and doors to improve security. “We are in fact the “bad guys; I get to break the law every day and not go to jail.”


What are the major vulnerabilities that you find while running a penetration test?

We find that everyone in the company owns their own FedEx uniform. You can buy them on EBay; UPS delivers them. We can get into banks, corporate headquarters, and offices – without anyone questioning us. We can trick your online banking system to transfer money to our account; users trust too much! If we send an email to a company, at least 50% of people will give him their password and access to their computer. Over and over again, it’s easy to trick users because they don’t understand!


What is one of the primary challenges facing healthcare leaders today?

Healthcare has privacy issues, but at the same time, it’s trying to increase flexibility of the infrastructure. For instance, HIPAA’s purpose is to protect the privacy and security of health information. But on the other hand, we want doctors and nurses to have access as much as possible to help the patient. So, there’s constant balancing act between usability and accessibility! Specifically, in a hospital setting, people have to access a network to do their jobs. But, most doctors don’t work for the hospital, so the hospital has to secure its infrastructure while managing devices. So, the issue becomes performing the security activities without taking away the budget to save lives. 

More attackers are recognizing benefits and financial gain by stealing healthcare data. Healthcare organizations are seeing a rampant of attacks and visual hacking. For example, someone without insurance can get medical records of someone with insurance and obtain that medical record information; similar to stolen identity with credit cards. Therefore, there’s not an easy way to monitor and maintain healthcare data because we have to go to every doctor seen to get records. In addition, we’re seeing a trend of increased use of personal health devices—Fitbits, Apple watches and other wearable technological devices—increasing vulnerability of data.


So, how can you protect yourself and your healthcare organization against future security breaches of sensitive information?

Don’t miss his session at the HIMSS16 Conference:

Session 196: “Moving Targets: Assessing the Security of Mobile Devices in Healthcare”

Thursday, March 3, 2016 | 10:00 am- 11:00 am.


Johnson wants attendees to be able to walk away from his session with an understanding of issues with mobile applications and devices. He discusses how you can assess this situation, look at apps and devices, and figure out if there’s a risk.


Save to your Agenda now