If I created a hierarchy of cyberattack nightmares, I'd slot attacks on hospitals right up there with having my Google search history downloaded and posted publicly. Maybe dying would be less explicitly humiliating, but getting murdered Homeland-style via hacked medical device is a specifically modern anxiety shudder. MIT Technology Review declared 2015 "the year of the hospital hack". Turns out that was premature: 2016 has already been a cybersecurity disaster for the healthcare industry, with an especially pernicious form of attack -- ransomware, when attackers hijack records and demand payment -- gaining traction.
In January, the Royal Melbourne Hospital was attacked by a virus, which forced staff to use slower, manual workarounds. Canada's Ottawa Hospital reported a ransomware attack that hit four computers earlier this month. In February, LA's Hollywood Presbyterian Medical Center paid a $US17,000 ($22,175) Bitcoin ransom to criminals who installed malware to steal patient records. Another recent ransomware attack at Kentucky's Methodist Hospital prompted the care centre to declare a "state of emergency" that left it unable to access vital electronic records. (It's not clear if Methodist paid the ransom; I've contacted their systems administrator to find out but had not received a reply at time of writing.)
This week, the FBI started investigating a computer virus infecting a large Washington, DC-area healthcare provider, MedStar Washington. The attack forced a large part of MedStar's online operations offline. The Chicago Tribune reported on the lingering effects of the attack Monday night, noting that employees had to stay late to deal with slowed-down processes, since they could only access paper records. MedStar spokeswoman Ann Nickels did not say if it was a ransomware attack.
"Hospitals are in a very different category when it comes to ransomware. The kind of data they hold is very confidential but also very critical to people's actual lives," Malwarebytes security researcher Jérôme Segura told Gizmodo. Since most hospitals now use digital records, doctors need to be able to access those records to diagnose and treat patients. "One can imagine how detrimental it would be if someone was in the middle of a major operation and suddenly all of their health records became unavailable," Segura said.
You can definitely imagine it easily -- because it keeps happening.
Seen in my doctor's office: pic.twitter.com/LhXkjKvhQd
— Steven Bellovin (@SteveBellovin) March 23, 2016
As hospitals adopt internet-connected medical devices and accessories, they also take on new entry points for criminals. Kaspersky Labs released a report this month called "How I Hacked a Hospital". The team accessed a clinic's local Wi-Fi system through what it describes as a "weak communications protocol". Then it used Shodan, a search engine for internet-connected devices, to survey which gear could serve as a security gap. It gained access to some devices it found on Shodan without even entering a password -- being connected to the local network was enough.
The Kaspersky team also discovered flaws that would allow criminals to hijack medical equipment, including MRI scanners and surgical devices. That means the potential for "physical damage to the patients" or "damage [to] the device itself".
In another study, this one by Independent Security Evaluators, researchers worked with a dozen Baltimore-area hospitals over two years to explore vulnerability to attacks. As the Baltimore Sun reported, the team was able to "commandeer computer systems that track medicine delivery and bloodwork requests" from within a hospital lobby. "A defibrillator could be disabled," the Sun report reads. "An X-ray machine could be made to blast patients -- and anyone nearby -- with high levels of radiation."
Much of the vulnerability comes down to budgets, Segura said, with some hospitals struggling to pay for critical IT updates. "The combination of older (sometimes archaic) systems with staff members not well-trained against security threats opens the door to ransomware attacks," he said.
Indeed, Johns Hopkins computer science professor Avi Rubin investigated hospital security practices and found them lacking. In an interview with Fast Company, he offered examples of behaviours that increase security risks:
I found that one hospital's radiology department had a nurse constantly typing in the doctors' passwords into their terminals when they were not around so that they would stay logged in. I also found that people would VPN (access the health systems' private network) into the hospital system using the same computer that their kids used to play video games. That is a huge security risk.
Generally speaking, hospital staffers aren't more oblivious than the average person to basic tenets of cybersecurity. But they do work in highly-connected environments, and with records and equipment that are coveted targets. Their mistakes can matter more. These systems are bullseyes for thieves, and the escalation of attacks shows how underprepared the healthcare system is to ward them off.
To prevent attacks, hospitals should be taking a "layered" approach to security. In addition to keeping software patched, Segura recommends that hospitals use proactive security software -- meaning software that triggers automatically as suspicious activity is detected instead of reacting to threats after the fact. Employees should also be trained on how to respond to ransomware attacks.
Ted Harringon, the security researcher who led Independent Security Evaluators' investigation, believes hospitals must readjust their thinking to keep people safe. "Focus on protecting patient health," Harrington said. "Currently, healthcare organisations focus their security efforts almost entirely on protecting patient data, and on pursuing compliance in order to do so. These things support but do not wholly address what should be the primary security mission in healthcare: protecting patient lives."
Harrington believes hospitals are -- despite the continued onslaught of attacks -- still frequently unaware of how vulnerable they are. "Our research demonstrated that healthcare organisations have woefully inadequate staffing, funding, training, network awareness, and many other shortcomings," he said. "Once healthcare organisations adapt to how much risk they are absorbing through these shortcomings, they will be better equipped to defend."