Text: Julie Zaugg
Photo: istockPhoto

In hospitals, viruses can infect computers too

Health facilities can be a target of cyberattacks. Hackers want not only their money, but also their medical data—which is worth its weight in gold on the dark web.

Banks, supermarkets and individual citizens are often victims of cyberattacks. Though it’s less well known, hospitals can be targets too.

A study conducted in the United States by the research institute Ponemon showed that 90% of the country’s health organisations had experienced at least one cyberattack
in 2015. There are even more attempted hacks. In Switzerland, the average university hospital is targeted every day by 11,000 attempted cyberattacks of all kinds according to the association Ingénieur Hôpital Suisse.

Hospitals have become an attractive target for hackers because they are often poorly protected. Martin Darms, a computer engineer who runs an SME in the canton
of Zug, has developed a vulnerability index for hospitals, which he has used to analyse the servers of seven Swiss facilities as part of his Master’s thesis. He found that four had vulnerabilities of varying degrees of severity. The worst security flaws were found in the facilities’ internal networks, which used out dated software, standard passwords and unprotected test servers.

Hospitals are lagging in cybersecurity, according to Franck Calcavecchia, computer security manager for Geneva University Hospitals. “While the financial industry was quick to seize upon data security, this was not the case in the medical sector,” he says. Cybersecurity is not the primary focus of a medical provider’s job. “For medical personnel, the emergency is not knowing if your computer networks are well protected, but taking care of patients,”
says Solange Ghernaouti, a cybercrime specialist at the University of Lausanne.

Care providers focus more on their IT equipment’s effectiveness and quickness, and neglect its security. Hospitals don’t take even the most basic precautions. “How many times have I found myself in a treatment room next to a computer that’s on?” she asks.

The rise of electronic patient records, genetic databases and medical equipment that automatically records vital signs has also increased the amount of information stored by hospitals and, by extension, the number of targets for malicious actors.

Another challenge is that medical devices are too often without any kind of protection against viruses and other forms of malware, even though they are now connected to
IT networks. “Equipment manufacturers were very slow to react and make their devices resistant to cyberattacks,” says Daniel Gougerot, IT system security manager at Lausanne University Hospital.

Phishing and internal theft

Hackers’ favourite method of attack is called phishing, which involves sending an email that contains a link to a fake website. “The goal is to install software on the victim’s device in order to use his or her computer to carry out the attack,” says the manager at Lausanne University Hospital. These emails can contain very personal information gleaned from social networking sites in order to gain the reader’s trust.

Hackers can also use more physical methods. A report published in 2014 showed that 68% of medical data hacks committed in the United States since 2010 occurred after the loss or theft of a laptop or smartphone. The Baltimore-based consultancy Independent Security Evaluators was able to infiltrate a hospital’s IT network by hacking an information kiosk in the building’s entry way.

“Health facilities are often rather protected from outside attacks, but they tend to forget about internal sources of risk, such as an upset employee,” says Tomas Bucher, president of the association Ingénieur Hôpital Suisse.
A simple USB key inserted into a computer is all it takes to extract data or introduce malware into the hospital’s network.

Reselling medical data

What remains is the question of why someone would attack a facility whose primary purpose is to provide care. “Ransomware attacks are the main threat we have to deal with,” says Daniel Gougerot. In this type of attack, a criminal organisation encrypts a hospital’s data, then asks for money (most often in the form of bitcoins) in exchange for allowing the facility to access its systems again.
“The hack can be quite elaborate. Some groups have set up hotlines in case the victims don’t know how to make a payment using bitcoins,” he says. Lausanne University Hospital experienced its first attack of this type in early 2015 and has had two or three since. “However, we’ve been able to stop them before our data has been taken hostage,” he says.

Hackers who attack hospitals are also looking for information. “Medical data is extremely valuable,” says Frank Calcavecchia. “On the dark web, it’s sold at 10 times the price of a credit card number.” This data can be used to
steal someone’s identity in order to get medication, make fraudulent health insurance claims or collect unwarranted welfare payments. “In France, one woman used stolen health data to receive welfare payments on behalf of 19 pairs of twins,” says Solange Ghernaouti.

This information is particularly valuable because it has to do with very emotional issues. “Imagine the parents of a child in the terminal phase of an illness who receive an email saying their child has been selected to take part in a new, promising clinical trial,” says Rick Kam, director of the IT security consultancy ID Experts in Portland in the United States. “They aren’t going to be as careful as they would in normal circumstances.”

Medical data is also confidential.
“Information about a celebrity’s or politician’s medical treatment can easily be sold to a tabloid or used as blackmail,” says Frank Calcavecchia. These types of hacks can also affect everyday people. Few would want the results of their pregnancy or AIDS test published.

The consequences of data theft can be felt long after the initial hack. In the United States, some banks and insurance companies buy this type of data and use
it to assess the risk their clients represent.
They won’t grant a loan or sell a life insurance policy to someone with terminal cancer.

Hacked medical devices

A more serious form of cyberattack targets connected medical devices. “MRI machines, insulin pumps, pacemakers and defibrillators are just some of the machines that can be hacked, whether it’s to deliver
a wrong dose of medicine, deactivate the device or falsify a result, with potentially deadly consequences,” says Billy Rios, an American IT security expert who works
for WhiteScope Group in San Francisco.

Sometimes, the entire hospital is the target of the attack. “The building’s doors, HVAC systems, electricity supply and water treatment systems are now controlled by
IT tools that in theory could be targeted by a cyberattack,” says Tomas Bucher. In UK, hackers have taken over the locking system used to control the hospital’s doors.
This type of attack can be the work of a disgruntled employee who wants to harm the hospital’s reputation or a criminal organisation looking for ransom.

But hospitals have many ways to combat the problem. “Data must be saved regularly,” says Daniel Gougerot. “If a hacker takes data hostage, you’ll still have a copy.” At Lausanne University Hospital, data is saved every hour. Another measure is to compartmentalise a hospital’s various networks. “That’s how a submarine is designed. If one chamber has a problem, you can close it, and it won’t impact the rest of the sub,” adds Frank Calcavecchia. For example, the system that controls the defibrillators should be kept separate from the one used to set appointments.

“It’s also important to use logbooks that list all the people who have consulted sensitive data,” continues Daniel Gougerot. “This makes it possible to spot suspicious behaviour.” On a more general note, access to this type of information should be limited to the people who really need it. The fewer people there are with access to sensitive information, the fewer targets hackers will have. ⁄



The hackers’ goals Ransom

Hollywood Presbyterian Medical Center was the first hospital to be targeted by ransomware. The hospital lost access to all its files in February 2016 after a virus encrypted them. It had to pay 17,000 bitcoins—about 15 million Swiss francs—to recover them. “This created a precedent,” says Daniel Gougerot of Lausanne University Hospital. “Since then, many other hospitals have been targeted.” Three other American hospitals in Kansas, California and New Jersey have also paid ransoms for their data.

Medical data theft

In December 2014, the American insurance company Anthem was targeted by a cyberattack that allowed a group of hackers to access a database with medical information on 78.8 million patients. The breach wasn’t discovered until two months later, when a company employee noticed that their login had been used by someone else to search the database. Some of the stolen data was sold on the dark web.

Sabotaging connected devices

In May 2014, Billy Rios, an American IT security expert who works for WhiteScope Group in San Francisco, sent a warning to the US health authorities. He had found significant flaws in the Hospira Lifecare PCA III infusion pump.

“I discovered a vulnerability that let someone take control of the device remotely,” he says. “This would have made it possible to administer a dose of medication that was too low or too high.” It would have even been possible to turn the pump off. Following the discovery, most hospitals stopped using these devices.

Reputation damage

In the spring of 2014, 4.5 million patient records were stolen from Community Health Systems, a company that manages 206 hospitals in the United States. The records included social security numbers, birth dates and addresses, but did not contain medical or financial data.

An analysis concluded it was the work of hackers hired by the Chinese government, which suggests the attack’s primary goal was to harm the company’s reputation and disrupt its operations.