5 Major US Hospital Hacks

In real-world war, combatants typically don’t attack hospitals. In the cyber realm, hackers have no such scruples. “We’re attacked about every 7 seconds, 24 hours a day,” says John Halamka, CIO of the Boston hospital Beth Israel Deaconess. And the strikes come from everywhere: “It’s hacktivists, organized crime, cyber terrorists, MIT students,” he says.
 
Halamka was speaking on a panel about medical hacking at SXSW Interactive along with Kevin Fu, a University of Michigan engineering professor who studies medical device security. Together they told horror stories of major hospital hacks from recent years. Here we bring you the top five, which represent five different types of intrusion:

1. Records → China. Many computers and medical devices in hospitals are running ancient operating systems that are full of security holes, Halamka says, so hospitals don’t connect them to their networks or to the Internet. Beth Israel Deaconess had taken this sensible precaution with a computer storing medical records, and everything was fine until it needed a firmware update. The manufacturer (which Halamka prefers not to identify) sent a technician to do the job. That technician promptly connected the device to the Internet to download the update, then went to lunch.

By the time the technician returned, Halamka says, the machine was so packed with malware that it was no longer functional. Someone had also downloaded about 2000 patient X-rays to a computer somewhere in China.

“Who knew there was a black market for X-rays?” Halamka says. He learned that some Chinese nationals can’t get visas to leave the country because they have infectious lung diseases such as tuberculosis. A clean lung X-ray is therefore a valuable commodity.

2. DDoS by Anonymous. In 2014, Boston Children’s Hospital was grappling with a controversial case regarding a teenage girl who’d been taken into state custody; doctors there claimed that her ailment was largely psychological and that her parents were pushing for unnecessary treatments. Someone in the hacktivist group Anonymous viewed this as an infringement on the girl’s rights, and decided to punish the hospital with a distributed denial of service (DDoS) attack, flooding the hospital’s servers with traffic to bring them down.

But Anonymous’s attack was broader than intended, Halamka says: “They didn’t know the IP range of Children’s, so they put a DDoS against the entire subnet, which included Harvard University and all of its hospitals.” Abruptly, all these institutions (including Halamka’s hospital) couldn’t access the Internet. “In the middle of the night, we had to outsource the Harvard network to a company that could handle it,” he says.

3. Faking out the doctors. The fake website was nearly perfect, Halamka says. It looked almost exactly like the Mass General Hospital’s payroll portal—only the urls was a little different. When doctors received an e-mail instructing them to go to their payroll site to authorize a bonus payment, many of them happily followed the link. They entered their credentials without noticing anything wrong. The hackers who created the facsimile site then used these pilfered credentials to change the doctors’ direct deposit information in the actual payment system—and promptly used the doctors’ hard-earned cash “to buy Amazon gift cards,” Halamka says. MGH no longer allows remote access to the payroll site using only a password.

4. The lure of Angry Birds. A nurse at Beth Israel Deaconess was just looking for a little harmless fun, so she downloaded Angry Birds to her Android phone. Unfortunately, she downloaded it from a Bulgarian website that delivered malware along with the game. Later, when she logged into her work e-mail account from her phone, a screen scraper program recorded her login credentials. “Her account was used to spend 1 million spam messages from Harvard.edu, causing Verizon to block Harvard as a spammer,” Halamka says.
 
5. Pay up or else. Kevin Fu sees ransomware attacks on hospitals as a growing threat. In these attacks, hackers hijack a computer network, encrypting or otherwise blocking access to the data, then demand a ransom payment in exchange for the data’s release. These hackers target private citizens and major organizations. When they go after hospitals, the outages have major repercussions. Fu says: “They’re unable to deliver patient care in a timely manner.”

Fu lists a number of hospitals that have suffered ransomware attacks just in the last few months—and that paid up. The most notable: In Los Angeles, a Hollywood hospital’s network was out for a week when hackers allegedly demanded more than $3 million in bitcoin payment. In the end, the hospital paid a ransom of $17,000 to get its files back. Halamka adds that the Hollywood hospital had all its data backed up, but the two databases were connected to each other and to the Internet. An offline backup would have saved them, he notes.
     
These attacks may all sound like nightmare scenarios, but the experts say they’re becoming almost routine. And hospitals have not made cybersecurity a priority in their budgets, Halamka says: “In healthcare, we spent about 2 percent on IT, and security might be 10 percent of that.” Compare that percentage to the security spending by financial firms: “Fidelity spends 35 percent of its budget on IT,” he says.
 
Spectrum IEEE

« Blockchain – The Most Disruptive Invention Since The Internet
What Do UK Consumers Think About SMEs’ Cyber Security? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

April 4, 2024 | 11:00 AM PT: Join this webinar to find out about six emerging trends dominating the cloud cybersecurity landscape.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

V-Key

V-Key

V-Key is a global leader in software based digital security, providing solutions for mobile identity, authentication, authorization, and mobile payments for major banks.

InfoGuard

InfoGuard

InfoGuard is a leading Swiss company providing comprehensive cyber security and network solutions.

Cyberra Legal Services (CLS)

Cyberra Legal Services (CLS)

Cyberra Legal Services provides cyber law advisory, cyber crime consultancy, cyber law compliance audit, cyber security, cyber forensics and cyber training services.

Ntirety

Ntirety

Ntirety Managed Security Services offer enterprise businesses the advanced tools, processes, and support to ensure your infrastructure, networks, and mission-critical applications are secure.

Wipe-Global

Wipe-Global

Wipe-Global is specialized in data erasure with an international established service partner network.

Jobsite

Jobsite

Jobsite is an award winning job board in the UK providing job listings in the key sectors of IT, Engineering and Finance.

Findcourses.co.uk

Findcourses.co.uk

Findcourses is a dedicated education search engine designed to make it easy for our learners to search and find exactly what they need from our community of trusted training providers.

HighPoint

HighPoint

HighPoint is a leading technology infrastructure solutions provider offering consultancy, solutions and managed services for network infrastructure and cybersecurity.

ControlMap

ControlMap

ControlMap is a software as a service platform with a mission to simplify and eliminate stress from everyday operations of modern IT compliance teams.

CAPSLOCK

CAPSLOCK

CAPSLOCK delivers career-changing cyber training to help adults re-skill. Learn online to become a cyber security professional and pay no tuition until you land a high-paying job.

Melius Cyber Security

Melius Cyber Security

Melius Cyber Security has developed a world-leading SaaS platform, Cyber Safe Plus, built around continuous assessment and improvement through vulnerability scanning and penetration testing

Xscale Accelerator

Xscale Accelerator

Xscale's vision is to create world-class startups out of India by transforming sales and providing access to global markets.

Citizen Lab - University of Toronto

Citizen Lab - University of Toronto

Citizen Lab focuses on research and development at the intersection of cyberspace, global security & human rights.

Central Intelligence Agency (CIA)

Central Intelligence Agency (CIA)

The CIA is an independent agency responsible for providing national security intelligence to senior US policymakers. This includes cyber security related activities.

Technology Innovation Institute (TII)

Technology Innovation Institute (TII)

TII is a UAE-based research center that aims to lead global advances in AI, robotics, quantum computing, cryptography and secure communications and more.

WireGuard

WireGuard

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs).