BOSTON—2015 was pretty dismal year for cybersecurity in healthcare, according to Richard Clarke, the former White House cybersecurity czar who served three presidents. Clarke delivered the opening keynote at the Privacy and Security Forum.

On average, companies that got breached did not know it for 270 days and some had even been breached for seven years without knowing it. Two-thirds of those entities did not even discover the breach internally; it was pointed out to them, either by someone outside the organization or by the federal government, Clarke said.

“Healthcare IT security has a bad reputation and you have to come to grips with that,” he said. “Reputations usually have some justification.”

The reason for the poor standing is not because of people who understand cybersecurity, he said. “You know what to do but you’re not being allowed to do it. The leadership of the organizations don’t get it. CEOs and boards of directors don’t really understand cybersecurity. That’s been true in sector after sector.”

IT security professionals need to get their leadership off the fixation that cybersecurity is just about protected health information, Clarke said. “I think your leadership believes that.” He said that when breaches happen and organizations offer the victims free credit monitoring, only 8 percent take the offer. That’s because “we have all become inured to the loss of [personally identifiable information]. Tell your leadership there are other things that could happen that have happened in other sectors. Those things inevitably will happen in healthcare.”

Those other things include the following seven threats Clarke identified as worse than data breaches:

1. Ransomware: This has become an epidemic in the U.S. this year, Clarke said. Attackers get into your network and “do what should have been done in the first place—encrypt anything.” They then demand money in exchange for access to the data. 

2. DDoS: Distributed Denial of Services attacks, previously thought to be a minor problem, have reemerged with high profile attacks against American banks, Clarke said. "DDoS is now, again, a threat. It's something you can send down the wire to an entity and knock it offline."

3. Wiper attacks: "Think Sony," Clarke said. He visited the company’s campus and said all the devices were wiped. They couldn’t do anything, including film, because everything was computerized.

4. Intellectual property (IP) theft: This is "probably the most damaging thing that happens," Clarke said. "If it's IP that's worth something and is online, it will be stolen."

5. Straight theft of money: One increasingly common trick is that hackers assume the identity of someone in the comptroller's office who sends out wire transfers for accounts payable. They then wire relatively small amounts—amounts that won’t be noticed—to an offshore account, transfer it to another account elsewhere and it's gone. 

6. Data manipulation: Wall Street's greatest fear is not data being stolen but the potential for someone to manipulate the data so firms don't really know who owns what anymore, he said. If that were to happen in healthcare—data changed about blood transfusions, for example—it could be deadly.

7. Data destruction: Devices can be physically destroyed by code. Clarke took part in the Aurora experiment at the Department of Energy's lab in Idaho which involved hacking into a simulated power grid, taking control, giving it the wrong commands through software and destroying a large electric power generator. While that was an extreme example, Clarke said many physical objects can be destroyed by software.

The motivation behind these attacks doesn’t matter, Clarke said. “If it can happen, it will happen.”