Computer hacking has become part of everyday life for the past few years as Internet-connected devices get been hacked left and right, but most times these are harmless, so-called “Internet of Things” appliances, like kettles or fridges.
But according to Boston-area hospital, Beth Israel Deaconess, it is attacked about every 7 seconds, 24 hours a day, and the strikes come from everywhere: hacktivists, organized crime, terrorists and even MIT students.
Nearly 1 in 3 Americans deals with some kind of health record compromise, and most of the time they are completely unaware it happened. This means that criminals gain huge amounts of information about people, including their social security numbers, phone numbers, addresses, and even their personal health information. Many of these types of information are much more permanent than even credit card numbers, and last forever. And most of these hacker attacks occur due to the sheer number of vulnerabilities in the security systems of hospitals.
For example, Sergey Lozhkin, a security researcher for Kaspersky, gave a talk at in February at the Security Analyst Summit in February, Tenerife, Spain, where he presented a case study during which he hacked a local hospital. Lozhkin’s experiment started when he accidentally discovered unprotected medical equipment available online through Shodan, a search engine for Internet-connected devices. Digging deeper into the results, he found that a few of the exposed devices were actually from a local nearby hospital.
Then he managed to hack and steal the local network key, which then allowed him to access various medical equipment that was connected to the building’s internal WiFi network. Using the network key, he accessed a tomographic scanner, from which he extracted patient records. The records were dummy data since management knew he was supposed to carry out a test, but the experiment proved its point and showed hospital management that their network was woefully insecure.
However, Lozhkin is a security expert and he helped hospital management to fix vulnerabilities in their system, but many hackers have no such scruples. “Ransomware” — a virus that holds systems hostage until victims pay for a key to regain access — has been deployed at least three times against hospitals this year. In a ransomware attack, hackers infect PCs with malicious software that encrypts valuable files so they are inaccessible, then offer to unlock the data only if the victim pays a ransom.
The most notable ransomware attack happened just a few months ago in Los Angeles: the network of Hollywood Presbyterian Hospital was out for a week when hackers allegedly demanded more than $3 million in bitcoin payment.
The hack at Hollywood Presbyterian forced doctors to use pen and paper in the age of computerization. News reports said fax lines were jammed because normal email communication was unavailable, and some emergency patients had to be diverted to other hospitals. In the end, the hospital paid a ransom of $17,000 to get its files back.
Medical facilities in the area plan to consult cyber security experts on how to protect themselves, the Hospital Association of Southern California said. “Hospitals are certainly now aware of ransomware more than they ever were before, and this has become a very real threat,” said spokeswoman Jennifer Bayer. At least 20 other attacks on healthcare facilities in the past year and hundreds more in other industries have been kept secret.
Such attacks may all sound like nightmare scenarios, but the experts say they’re becoming almost routine. And most hospitals have not made cyber security a priority in their budgets. On average hospitals spent about 2 percent on IT, and security might be 10 percent of that. Compare that percentage to the security spending by financial institutions: for example, Fidelity spends 35 percent of its budget on IT.
Moreover, medical facilities are vulnerable to these attacks in part because they don’t properly train their employees on how to avoid being hacked, according to Sinan Eren, who has worked in cyber security for government and health care organizations for two decades.
“It’s not like the financial-services industry, where they train employees how to spot suspicious emails,” said Eren, general manager at Avast Mobile Enterprise. Also, many hospital computer systems are outdated, bulky and in dire need of upgrades or newer software, he said. But such institutions often don’t have — or don’t want to spend — the money to make sweeping changes.
Ransomware is big business for criminals and security professionals. Although ransoms typically are less than the hospital paid, usually ranging $200 to $10,000, victims of a ransomware known as CryptoWall reported losses over $18 million from April 2014 to June 2015, according to the FBI.
Special Agent Chris Stangl, a section chief at the FBI’s cyber division, said in an interview with the Washington Post that ransomware attacks are becoming increasingly prevalent as more and more victims pay up. In a nine-month period in 2014, the FBI investigated 1,838 complaints of such attacks, which cost those targeted more than $23.7 million. In 2015, agents investigated 2,453 complaints, costing targets $24.1 million.
Stangl said the hackers, most of them from Eastern Europe, have increasingly targeted businesses, which are often able to pay more than individuals to unlock data. The hackers “scan the Internet for companies that post their contact information,” then send them email phishing attacks. Unsuspecting employees, Stangl said, are asked to click on what seem to be innocuous links or attachments — perhaps something as simple as a .PDF purporting to be a customer complaint — and before they know it, their computers are infected.
Today such ransomware attacks are largely the work of criminal actors looking for a quick payoff, but the underlying techniques are already part of military planning for state-sponsored cyber warfare. Government itself, including its most senior intelligence and national security officials are no better off when a single phishing email can redirect their home phone service and personal email accounts.
Moreover, the U.S. has been designing crippling cyber attack plans targeting the civilian sector. In case its nuclear negotiations with Iran failed, the U.S. was prepared to shut down the country’s power grid and communications networks.
Imagine a future “first strike” cyber attack in which a nation burrowed its way deeply into the industrial and commercial networks of another state and deployed ransomware across its entire private sector, flipping a single switch to hold the entire country for ransom.
Such a nightmare scenario is unfortunately far closer than most people think.
Content posted to MyMPN open blogs is the opinion of the author alone, and should not be attributed to MintPress News.