There was once a belief that even in combat, hospitals were never targeted but in the hacking world, there are no such scruples. Everyone from hacktivists, cyberterrorists, students and organized crime are engaged in designing schemes that could put a system down – any system. The recent incident at Hollywood Presbyterian brings forward the issue of cybersecurity in healthcare.
Hackers shut down the internal computer system at Hollywood Presbyterian for more than a week and only restored it once the hospital paid them a ransom. Their original demand was for a payment of 9000 bitcoins (approximately $3.7 million). Patient care was not compromised but the cyberattack did cause chaos in the whole facility. 911 patients had to be sent over to other hospitals and hospital staff had to revert to paper registrations. The hospital lost access to email, emergency rooms were affected and fax lines became jammed.
All this fiasco was created through a software called ransomware that has the ability to encrypt sensitive data. The software could only be unlocked with a keycode. As Tim Erlin, Director of IT Security and Risk Strategy at Tripwire points out, this incident highlights the fact that it is not necessary to attack the medical device to hinder healthcare. It can be done through simply disrupting the hospital system so that the facility’s ability to deliver care becomes hampered.
Another similar ransomware scheme called CryptoWall cost victims nearly $18 million. Another 56 types of cryptoransomware have appeared since 2013 and there are around 50 gangs who are engaged in schemes that target only hospitals. Kevin Haley, Director of Security Response at Symantec says that the most vulnerable spots for hiding such malware are WordPress blogs and advertisements.
There has been much hue and cry about the Hollywood Presbyterian incident but the fact is that there are many other stories of hospital hacks in the last few years.
Beth Israel Deaconess was in the process of updating its computer system of storing medical records. This required a firmware update which a technician was hired to do. Not knowing the consequences of his actions, the technician connected the device to the Internet to download the update and went on break. When he returned, he found that the machine was packed with malware and somebody had actually downloaded 2000 patient X-rays and transferred them to a computer in China. Apparently, clean lung X-rays are hot commodities in China. Who would have thought?
Similarly, Boston Children’s Hospital was attacked by a hacker when it refused to treat a girl who was in state custody. A hacktivist group Anonymous was not too pleased with this decision and punished the hospital with a distributed denial of service (DDoS) attack that inundated the hospital’s servers with traffic. The DDos affected the entire subnet including Harvard University and all its hospitals.
In another incident, somebody made a fake website exactly like the Mass General Hospital’s payroll portal. The URL was a little different but not enough to alert the doctors who were instructed through email to go into their payroll site to authorize a bonus payment. Which they did. The hackers then simply used these credentials to change the doctors’ direct deposit information and easily withdrew their hard-earned income.
Another surprising hacking incident occurred at Beth Israel Deaconess when a nurse downloaded Angry Birds on her Android phone. She downloaded it from a Bulgarian website that brought with it a malware. When later she logged into her work email from the same device, all her login details were recorded and her account was subsequently used to send 1 million spam messages from Harvard.edu.
These incidents make it evident that hacking is a significant problem for all industries – including healthcare. In fact, healthcare is even more vulnerable as hospital systems contain extremely personal and confidential information about patients.
As a person’s medical information is worth ten times more than their credit card information in the black market, it is important for organizations to ensure they implement adequate security measures that help reduce any risks and vulnerabilities. In addition, organizations should have security officials in place to ensure that security policies and procedures are implemented and only limited users have access to confidential information. Workforce and employees should be properly authorized and supervised and all workforce members should be trained regarding security policies and procedures. Understanding the importance of cyber security is essential and healthcare organizations need to work towards establishing IT systems that are both efficient and secure.