5 Major US Hospital Hacks

In real-world war, combatants typically don’t attack hospitals. In the cyber realm, hackers have no such scruples. “We’re attacked about every 7 seconds, 24 hours a day,” says John Halamka, CIO of the Boston hospital Beth Israel Deaconess. And the strikes come from everywhere: “It’s hacktivists, organized crime, cyber terrorists, MIT students,” he says.
 
Halamka was speaking on a panel about medical hacking at SXSW Interactive along with Kevin Fu, a University of Michigan engineering professor who studies medical device security. Together they told horror stories of major hospital hacks from recent years. Here we bring you the top five, which represent five different types of intrusion:

1. Records → China. Many computers and medical devices in hospitals are running ancient operating systems that are full of security holes, Halamka says, so hospitals don’t connect them to their networks or to the Internet. Beth Israel Deaconess had taken this sensible precaution with a computer storing medical records, and everything was fine until it needed a firmware update. The manufacturer (which Halamka prefers not to identify) sent a technician to do the job. That technician promptly connected the device to the Internet to download the update, then went to lunch.

By the time the technician returned, Halamka says, the machine was so packed with malware that it was no longer functional. Someone had also downloaded about 2000 patient X-rays to a computer somewhere in China.

“Who knew there was a black market for X-rays?” Halamka says. He learned that some Chinese nationals can’t get visas to leave the country because they have infectious lung diseases such as tuberculosis. A clean lung X-ray is therefore a valuable commodity.

2. DDoS by Anonymous. In 2014, Boston Children’s Hospital was grappling with a controversial case regarding a teenage girl who’d been taken into state custody; doctors there claimed that her ailment was largely psychological and that her parents were pushing for unnecessary treatments. Someone in the hacktivist group Anonymous viewed this as an infringement on the girl’s rights, and decided to punish the hospital with a distributed denial of service (DDoS) attack, flooding the hospital’s servers with traffic to bring them down.

But Anonymous’s attack was broader than intended, Halamka says: “They didn’t know the IP range of Children’s, so they put a DDoS against the entire subnet, which included Harvard University and all of its hospitals.” Abruptly, all these institutions (including Halamka’s hospital) couldn’t access the Internet. “In the middle of the night, we had to outsource the Harvard network to a company that could handle it,” he says.

3. Faking out the doctors. The fake website was nearly perfect, Halamka says. It looked almost exactly like the Mass General Hospital’s payroll portal—only the urls was a little different. When doctors received an e-mail instructing them to go to their payroll site to authorize a bonus payment, many of them happily followed the link. They entered their credentials without noticing anything wrong. The hackers who created the facsimile site then used these pilfered credentials to change the doctors’ direct deposit information in the actual payment system—and promptly used the doctors’ hard-earned cash “to buy Amazon gift cards,” Halamka says. MGH no longer allows remote access to the payroll site using only a password.

4. The lure of Angry Birds. A nurse at Beth Israel Deaconess was just looking for a little harmless fun, so she downloaded Angry Birds to her Android phone. Unfortunately, she downloaded it from a Bulgarian website that delivered malware along with the game. Later, when she logged into her work e-mail account from her phone, a screen scraper program recorded her login credentials. “Her account was used to spend 1 million spam messages from Harvard.edu, causing Verizon to block Harvard as a spammer,” Halamka says.
 
5. Pay up or else. Kevin Fu sees ransomware attacks on hospitals as a growing threat. In these attacks, hackers hijack a computer network, encrypting or otherwise blocking access to the data, then demand a ransom payment in exchange for the data’s release. These hackers target private citizens and major organizations. When they go after hospitals, the outages have major repercussions. Fu says: “They’re unable to deliver patient care in a timely manner.”

Fu lists a number of hospitals that have suffered ransomware attacks just in the last few months—and that paid up. The most notable: In Los Angeles, a Hollywood hospital’s network was out for a week when hackers allegedly demanded more than $3 million in bitcoin payment. In the end, the hospital paid a ransom of $17,000 to get its files back. Halamka adds that the Hollywood hospital had all its data backed up, but the two databases were connected to each other and to the Internet. An offline backup would have saved them, he notes.
     
These attacks may all sound like nightmare scenarios, but the experts say they’re becoming almost routine. And hospitals have not made cybersecurity a priority in their budgets, Halamka says: “In healthcare, we spent about 2 percent on IT, and security might be 10 percent of that.” Compare that percentage to the security spending by financial firms: “Fidelity spends 35 percent of its budget on IT,” he says.
 
Spectrum IEEE

« Blockchain – The Most Disruptive Invention Since The Internet
What Do UK Consumers Think About SMEs’ Cyber Security? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Chatham House Cyber Conference

Chatham House Cyber Conference

14 June 2023 - Connect with cyber security experts and senior policymakers to explore the role of cyber security in the global economy and how to deliver an open and secure internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Online Business Systems

Online Business Systems

Online Business Systems is an information technology and business consultancy. We design improved business processes enabled with robust and secure information systems.

Asvin

Asvin

Asvin provides secure update management and delivery for Internet of Things - IoT Edge devices.

Optra Security

Optra Security

Optra Security specializes in information security with a focus on Application Security.

Vigilant Software

Vigilant Software

Vigilant Software develops industry-leading tools for intelligent, simplified compliance, including ISO27001-risk management and EU GDPR.

National Health Care Anti-Fraud Association (NHCAA)

National Health Care Anti-Fraud Association (NHCAA)

National Health Care Anti-Fraud Association is the leading national organization focused exclusively on the fight against health care fraud.

WisePlant

WisePlant

WisePlant's portfolio of solutions and services includes process measurement, secure automation, industrial cybersecurity, functional safety and more.

SecurityGate

SecurityGate

SecurityGate.io is the only Integrated Risk Management platform built for OT/ICS cybersecurity.

WhiteHawk

WhiteHawk

WhiteHawk is the first online Cyber Security Exchange. We help you understand your cyber risk and match you to tailored and affordable solutions.

Viettel Cyber Security

Viettel Cyber Security

Viettel Cyber Security is an organization under the Military Telecommunication Industry Group, conducting research and developing information security solutions for domestic and foreign customers.

RankedRight

RankedRight

RankedRight empowers security teams to take immediate action on their most critical risks.

Red Goat Cyber Security

Red Goat Cyber Security

Red Goat Cyber Security have created excellent, informative and interactive Social Engineering Awareness training which is suitable for all levels of staff.

Vanta

Vanta

Vanta helps companies scale security practices and automate compliance for the industry’s most sought after standards - SOC 2, ISO 27001, HIPAA, GDPR, and other security and privacy frameworks.

Resourcive

Resourcive

Resourcive is the first Value Added Sourcing “VAS” consultancy. We deliver strategic IT sourcing solutions to mid-market and enterprise clients.

Northrop Grumman

Northrop Grumman

Northrop Grumman is a global provider and integrator of complex, advanced and rapidly adapting information technology, cybersecurity, mobility and optimized services and solutions.

Securonix

Securonix

Securonix delivers a next generation security analytics and operations management platform for the modern era of big data and advanced cyber threats.

U2opia Technology

U2opia Technology

U2opia is a consortium with a proven track record of delivering groundbreaking technology, cybersecurity, and innovative business solutions.