5 Major US Hospital Hacks

In real-world war, combatants typically don’t attack hospitals. In the cyber realm, hackers have no such scruples. “We’re attacked about every 7 seconds, 24 hours a day,” says John Halamka, CIO of the Boston hospital Beth Israel Deaconess. And the strikes come from everywhere: “It’s hacktivists, organized crime, cyber terrorists, MIT students,” he says.
 
Halamka was speaking on a panel about medical hacking at SXSW Interactive along with Kevin Fu, a University of Michigan engineering professor who studies medical device security. Together they told horror stories of major hospital hacks from recent years. Here we bring you the top five, which represent five different types of intrusion:

1. Records → China. Many computers and medical devices in hospitals are running ancient operating systems that are full of security holes, Halamka says, so hospitals don’t connect them to their networks or to the Internet. Beth Israel Deaconess had taken this sensible precaution with a computer storing medical records, and everything was fine until it needed a firmware update. The manufacturer (which Halamka prefers not to identify) sent a technician to do the job. That technician promptly connected the device to the Internet to download the update, then went to lunch.

By the time the technician returned, Halamka says, the machine was so packed with malware that it was no longer functional. Someone had also downloaded about 2000 patient X-rays to a computer somewhere in China.

“Who knew there was a black market for X-rays?” Halamka says. He learned that some Chinese nationals can’t get visas to leave the country because they have infectious lung diseases such as tuberculosis. A clean lung X-ray is therefore a valuable commodity.

2. DDoS by Anonymous. In 2014, Boston Children’s Hospital was grappling with a controversial case regarding a teenage girl who’d been taken into state custody; doctors there claimed that her ailment was largely psychological and that her parents were pushing for unnecessary treatments. Someone in the hacktivist group Anonymous viewed this as an infringement on the girl’s rights, and decided to punish the hospital with a distributed denial of service (DDoS) attack, flooding the hospital’s servers with traffic to bring them down.

But Anonymous’s attack was broader than intended, Halamka says: “They didn’t know the IP range of Children’s, so they put a DDoS against the entire subnet, which included Harvard University and all of its hospitals.” Abruptly, all these institutions (including Halamka’s hospital) couldn’t access the Internet. “In the middle of the night, we had to outsource the Harvard network to a company that could handle it,” he says.

3. Faking out the doctors. The fake website was nearly perfect, Halamka says. It looked almost exactly like the Mass General Hospital’s payroll portal—only the urls was a little different. When doctors received an e-mail instructing them to go to their payroll site to authorize a bonus payment, many of them happily followed the link. They entered their credentials without noticing anything wrong. The hackers who created the facsimile site then used these pilfered credentials to change the doctors’ direct deposit information in the actual payment system—and promptly used the doctors’ hard-earned cash “to buy Amazon gift cards,” Halamka says. MGH no longer allows remote access to the payroll site using only a password.

4. The lure of Angry Birds. A nurse at Beth Israel Deaconess was just looking for a little harmless fun, so she downloaded Angry Birds to her Android phone. Unfortunately, she downloaded it from a Bulgarian website that delivered malware along with the game. Later, when she logged into her work e-mail account from her phone, a screen scraper program recorded her login credentials. “Her account was used to spend 1 million spam messages from Harvard.edu, causing Verizon to block Harvard as a spammer,” Halamka says.
 
5. Pay up or else. Kevin Fu sees ransomware attacks on hospitals as a growing threat. In these attacks, hackers hijack a computer network, encrypting or otherwise blocking access to the data, then demand a ransom payment in exchange for the data’s release. These hackers target private citizens and major organizations. When they go after hospitals, the outages have major repercussions. Fu says: “They’re unable to deliver patient care in a timely manner.”

Fu lists a number of hospitals that have suffered ransomware attacks just in the last few months—and that paid up. The most notable: In Los Angeles, a Hollywood hospital’s network was out for a week when hackers allegedly demanded more than $3 million in bitcoin payment. In the end, the hospital paid a ransom of $17,000 to get its files back. Halamka adds that the Hollywood hospital had all its data backed up, but the two databases were connected to each other and to the Internet. An offline backup would have saved them, he notes.
     
These attacks may all sound like nightmare scenarios, but the experts say they’re becoming almost routine. And hospitals have not made cybersecurity a priority in their budgets, Halamka says: “In healthcare, we spent about 2 percent on IT, and security might be 10 percent of that.” Compare that percentage to the security spending by financial firms: “Fidelity spends 35 percent of its budget on IT,” he says.
 
Spectrum IEEE

« Blockchain – The Most Disruptive Invention Since The Internet
What Do UK Consumers Think About SMEs’ Cyber Security? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Ericsson

Ericsson

Ericsson is a leading provider of telecommunications services and network infrastructure solutions including all aspects of network security.

Kudelski Security

Kudelski Security

Kudelski Security is an international cybersecurity company providing innovative, independent and tailored security solutions for large enterprise and public sector clients.

Egis Technology

Egis Technology

Egis specializes in the IC design, research and development, and the testing and sales of capacitive fingerprint sensor.

BHC Laboratory

BHC Laboratory

BHC Laboratory is a cyber capabilities’ development company for a wide range of global customers.

Trusted Objects

Trusted Objects

Trusted Object's mission is to provide state of the art security solutions and services enabling a strong root of trust for the IoT ecosystem.

Sergeant Laboratories

Sergeant Laboratories

Sergeant Laboratories builds advanced technologies to prove compliance in complex IT security and regulatory compliance situations.

SynerLeap

SynerLeap

SynerLeap is ABB's innovation growth hub. Our aim is to help startups accelerate and expand across industries, ranging from industrial automation and robotics to grid technologies and smart cities.

LOGbinder

LOGbinder

LOGbinder eliminates blind spots in security intelligence for endpoints and applications.

gener8tor

gener8tor

The gener8tor Cybersecurity Accelerator offers a cutting-edge program in San Antonio, home to the second-largest concentration of cybersecurity experts in the United States.

Harbor Networks

Harbor Networks

Harbor Networks is a communications systems integrator and managed services provider. We provide business consultation services for voice and data communication technology.

CyberGate Technologies

CyberGate Technologies

CyberGate Technologies is a world-class, customer focus cyber security service and consultancy company operating the UK, Europe, Middle East, and Africa.

Match Systems

Match Systems

Match Systems provides blockchain investigations, KYC, KYT, AML, Due Diligence and compliance services.

Ping Identity

Ping Identity

At Ping Identity, we believe in making digital experiences both secure and seamless for all users, without compromise. That’s digital freedom.

Auxilion

Auxilion

Auxilion is an award-winning provider of consulting and IT support services, technologies and consulting for public and private organisations in the UK and Ireland.

WillCo Tech

WillCo Tech

WillCo Tech works to enhance national security and force readiness for military and commercial enterprises with a suite of software capabilities surrounding the human element of cybersecurity.

Interlynk

Interlynk

Interlynk's #SBOM and # VEX-powered platform automates and continuously monitors first-party and vendor software supply chains and helps meet #FDA, #CRA, #GSA, and #DoD compliance obligations.