Banks, supermarkets and individual citizens are often victims of cyberattacks. Though it’s less well known, hospitals can be targets too.

A study conducted in the United States by the research institute Ponemon showed that 90% of the country’s health organisations had experienced at least one cyberattack
in 2015. There are even more attempted hacks. In Switzerland, the average university hospital is targeted every day by 11,000 attempted cyberattacks of all kinds according to the association Ingénieur Hôpital Suisse.

Hospitals have become an attractive target for hackers because they are often poorly protected. Martin Darms, a computer engineer who runs an SME in the canton
of Zug, has developed a vulnerability index for hospitals, which he has used to analyse the servers of seven Swiss facilities as part of his Master’s thesis. He found that four had vulnerabilities of varying degrees of severity. The worst security flaws were found in the facilities’ internal networks, which used out dated software, standard passwords and unprotected test servers.

Hospitals are lagging in cybersecurity, according to Franck Calcavecchia, computer security manager for Geneva University Hospitals. “While the financial industry was quick to seize upon data security, this was not the case in the medical sector,” he says. Cybersecurity is not the primary focus of a medical provider’s job. “For medical personnel, the emergency is not knowing if your computer networks are well protected, but taking care of patients,”
says Solange Ghernaouti, a cybercrime specialist at the University of Lausanne.

Care providers focus more on their IT equipment’s effectiveness and quickness, and neglect its security. Hospitals don’t take even the most basic precautions. “How many times have I found myself in a treatment room next to a computer that’s on?” she asks.

The rise of electronic patient records, genetic databases and medical equipment that automatically records vital signs has also increased the amount of information stored by hospitals and, by extension, the number of targets for malicious actors.

Another challenge is that medical devices are too often without any kind of protection against viruses and other forms of malware, even though they are now connected to
IT networks. “Equipment manufacturers were very slow to react and make their devices resistant to cyberattacks,” says Daniel Gougerot, IT system security manager at Lausanne University Hospital.

Phishing and internal theft

Hackers’ favourite method of attack is called phishing, which involves sending an email that contains a link to a fake website. “The goal is to install software on the victim’s device in order to use his or her computer to carry out the attack,” says the manager at Lausanne University Hospital. These emails can contain very personal information gleaned from social networking sites in order to gain the reader’s trust.

Hackers can also use more physical methods. A report published in 2014 showed that 68% of medical data hacks committed in the United States since 2010 occurred after the loss or theft of a laptop or smartphone. The Baltimore-based consultancy Independent Security Evaluators was able to infiltrate a hospital’s IT network by hacking an information kiosk in the building’s entry way.

“Health facilities are often rather protected from outside attacks, but they tend to forget about internal sources of risk, such as an upset employee,” says Tomas Bucher, president of the association Ingénieur Hôpital Suisse.
A simple USB key inserted into a computer is all it takes to extract data or introduce malware into the hospital’s network.

Reselling medical data

What remains is the question of why someone would attack a facility whose primary purpose is to provide care. “Ransomware attacks are the main threat we have to deal with,” says Daniel Gougerot. In this type of attack, a criminal organisation encrypts a hospital’s data, then asks for money (most often in the form of bitcoins) in exchange for allowing the facility to access its systems again.
“The hack can be quite elaborate. Some groups have set up hotlines in case the victims don’t know how to make a payment using bitcoins,” he says. Lausanne University Hospital experienced its first attack of this type in early 2015 and has had two or three since. “However, we’ve been able to stop them before our data has been taken hostage,” he says.

Hackers who attack hospitals are also looking for information. “Medical data is extremely valuable,” says Frank Calcavecchia. “On the dark web, it’s sold at 10 times the price of a credit card number.” This data can be used to
steal someone’s identity in order to get medication, make fraudulent health insurance claims or collect unwarranted welfare payments. “In France, one woman used stolen health data to receive welfare payments on behalf of 19 pairs of twins,” says Solange Ghernaouti.

This information is particularly valuable because it has to do with very emotional issues. “Imagine the parents of a child in the terminal phase of an illness who receive an email saying their child has been selected to take part in a new, promising clinical trial,” says Rick Kam, director of the IT security consultancy ID Experts in Portland in the United States. “They aren’t going to be as careful as they would in normal circumstances.”

Medical data is also confidential.
“Information about a celebrity’s or politician’s medical treatment can easily be sold to a tabloid or used as blackmail,” says Frank Calcavecchia. These types of hacks can also affect everyday people. Few would want the results of their pregnancy or AIDS test published.

The consequences of data theft can be felt long after the initial hack. In the United States, some banks and insurance companies buy this type of data and use
it to assess the risk their clients represent.
They won’t grant a loan or sell a life insurance policy to someone with terminal cancer.

Hacked medical devices

A more serious form of cyberattack targets connected medical devices. “MRI machines, insulin pumps, pacemakers and defibrillators are just some of the machines that can be hacked, whether it’s to deliver
a wrong dose of medicine, deactivate the device or falsify a result, with potentially deadly consequences,” says Billy Rios, an American IT security expert who works
for WhiteScope Group in San Francisco.

Sometimes, the entire hospital is the target of the attack. “The building’s doors, HVAC systems, electricity supply and water treatment systems are now controlled by
IT tools that in theory could be targeted by a cyberattack,” says Tomas Bucher. In UK, hackers have taken over the locking system used to control the hospital’s doors.
This type of attack can be the work of a disgruntled employee who wants to harm the hospital’s reputation or a criminal organisation looking for ransom.

But hospitals have many ways to combat the problem. “Data must be saved regularly,” says Daniel Gougerot. “If a hacker takes data hostage, you’ll still have a copy.” At Lausanne University Hospital, data is saved every hour. Another measure is to compartmentalise a hospital’s various networks. “That’s how a submarine is designed. If one chamber has a problem, you can close it, and it won’t impact the rest of the sub,” adds Frank Calcavecchia. For example, the system that controls the defibrillators should be kept separate from the one used to set appointments.

“It’s also important to use logbooks that list all the people who have consulted sensitive data,” continues Daniel Gougerot. “This makes it possible to spot suspicious behaviour.” On a more general note, access to this type of information should be limited to the people who really need it. The fewer people there are with access to sensitive information, the fewer targets hackers will have. ⁄