5 Major US Hospital Hacks

Uploaded on 2016-03-31 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare

In real-world war, combatants typically don’t attack hospitals. In the cyber realm, hackers have no such scruples. “We’re attacked about every 7 seconds, 24 hours a day,” says John Halamka, CIO of the Boston hospital Beth Israel Deaconess. And the strikes come from everywhere: “It’s hacktivists, organized crime, cyber terrorists, MIT students,” he says.
 
Halamka was speaking on a panel about medical hacking at SXSW Interactive along with Kevin Fu, a University of Michigan engineering professor who studies medical device security. Together they told horror stories of major hospital hacks from recent years. Here we bring you the top five, which represent five different types of intrusion:

1. Records → China. Many computers and medical devices in hospitals are running ancient operating systems that are full of security holes, Halamka says, so hospitals don’t connect them to their networks or to the Internet. Beth Israel Deaconess had taken this sensible precaution with a computer storing medical records, and everything was fine until it needed a firmware update. The manufacturer (which Halamka prefers not to identify) sent a technician to do the job. That technician promptly connected the device to the Internet to download the update, then went to lunch.

By the time the technician returned, Halamka says, the machine was so packed with malware that it was no longer functional. Someone had also downloaded about 2000 patient X-rays to a computer somewhere in China.

“Who knew there was a black market for X-rays?” Halamka says. He learned that some Chinese nationals can’t get visas to leave the country because they have infectious lung diseases such as tuberculosis. A clean lung X-ray is therefore a valuable commodity.

2. DDoS by Anonymous. In 2014, Boston Children’s Hospital was grappling with a controversial case regarding a teenage girl who’d been taken into state custody; doctors there claimed that her ailment was largely psychological and that her parents were pushing for unnecessary treatments. Someone in the hacktivist group Anonymous viewed this as an infringement on the girl’s rights, and decided to punish the hospital with a distributed denial of service (DDoS) attack, flooding the hospital’s servers with traffic to bring them down.

But Anonymous’s attack was broader than intended, Halamka says: “They didn’t know the IP range of Children’s, so they put a DDoS against the entire subnet, which included Harvard University and all of its hospitals.” Abruptly, all these institutions (including Halamka’s hospital) couldn’t access the Internet. “In the middle of the night, we had to outsource the Harvard network to a company that could handle it,” he says.

3. Faking out the doctors. The fake website was nearly perfect, Halamka says. It looked almost exactly like the Mass General Hospital’s payroll portal—only the urls was a little different. When doctors received an e-mail instructing them to go to their payroll site to authorize a bonus payment, many of them happily followed the link. They entered their credentials without noticing anything wrong. The hackers who created the facsimile site then used these pilfered credentials to change the doctors’ direct deposit information in the actual payment system—and promptly used the doctors’ hard-earned cash “to buy Amazon gift cards,” Halamka says. MGH no longer allows remote access to the payroll site using only a password.

4. The lure of Angry Birds. A nurse at Beth Israel Deaconess was just looking for a little harmless fun, so she downloaded Angry Birds to her Android phone. Unfortunately, she downloaded it from a Bulgarian website that delivered malware along with the game. Later, when she logged into her work e-mail account from her phone, a screen scraper program recorded her login credentials. “Her account was used to spend 1 million spam messages from Harvard.edu, causing Verizon to block Harvard as a spammer,” Halamka says.
 
5. Pay up or else. Kevin Fu sees ransomware attacks on hospitals as a growing threat. In these attacks, hackers hijack a computer network, encrypting or otherwise blocking access to the data, then demand a ransom payment in exchange for the data’s release. These hackers target private citizens and major organizations. When they go after hospitals, the outages have major repercussions. Fu says: “They’re unable to deliver patient care in a timely manner.”

Fu lists a number of hospitals that have suffered ransomware attacks just in the last few months—and that paid up. The most notable: In Los Angeles, a Hollywood hospital’s network was out for a week when hackers allegedly demanded more than $3 million in bitcoin payment. In the end, the hospital paid a ransom of $17,000 to get its files back. Halamka adds that the Hollywood hospital had all its data backed up, but the two databases were connected to each other and to the Internet. An offline backup would have saved them, he notes.
     
These attacks may all sound like nightmare scenarios, but the experts say they’re becoming almost routine. And hospitals have not made cybersecurity a priority in their budgets, Halamka says: “In healthcare, we spent about 2 percent on IT, and security might be 10 percent of that.” Compare that percentage to the security spending by financial firms: “Fidelity spends 35 percent of its budget on IT,” he says.
 
Spectrum IEEE

« Blockchain – The Most Disruptive Invention Since The Internet
What Do UK Consumers Think About SMEs’ Cyber Security? »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Wizard Computing

Wizard Computing

Wizard Computer Services is a full service IT solutions provider that offers managed services, consultation, installation, and support to small and large businesses in New England.

SecureAppbox

SecureAppbox

SecureAppbox provide solutions that protects the communication of sensitive data as well as advice on data security and compliance with GDPR.

Cequence Security

Cequence Security

Cequence, a pioneer in API security and bot management, is the only solution that delivers Unified API Protection (UAP), uniting discovery, compliance, and protection.

Cyber Pop-Up

Cyber Pop-Up

Cyber Pop-Up provide on-demand access to top security experts. No recruiting. No onboarding. No overhead costs.

Adaptive Shield

Adaptive Shield

Addaptive Shield - Complete Control For Your SaaS Security. Proactively find and fix weaknesses across your SaaS platforms.

Evalian

Evalian

Evalian is a data protection services provider. Working with organisations of all sizes, we specialise in Data Protection, GDPR, ISO Certification & Information Security.

Alias Robotics

Alias Robotics

Alias Robotics is a robot cyber security company. We deliver cyber security solutions for robots and robot components.

Dasera

Dasera

Dasera’s Radar and Interceptor products deliver visibility, governance, and protection solutions for data-agile companies.

AML Global Solutions (AMLGS)

AML Global Solutions (AMLGS)

AMLGS delivers Financial Crime prevention training programmes and consultancy services encompassing Anti-Money Laundering (AML), Counter Terrorism Financing (CTF), Bribery & Corruption and Fraud.

OpsHelm

OpsHelm

OpsHelm provides a Software-as-a-Service solution to help businesses ensure that all of their cloud environments have their security bases covered.

Plex IT

Plex IT

Plex IT provides managed IT services to organisations along with managed security services.

SecurityStudio

SecurityStudio

SecurityStudio is a continuous cybersecurity risk management platform that allows decision-makers to quickly identify the most immediate threats and make confident risk informed decisions.

Omdia

Omdia

Omdia is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

at-yet (@-yet)

at-yet (@-yet)

at-yet are an interdisciplinary team of experts. We are all about achieving results, whatever the situation – an acute incident, risk minimisation, safeguarding or data protection.

HYCU

HYCU

HYCU was born of the need to simplify data protection and provide equivalent levels of backup and recovery support across on premises, public cloud, and SaaS workloads.

Taktika

Taktika

Taktika stands at the forefront of cybersecurity defense, offering cutting-edge integration and managed Security Operations Center (SOC) services.